Loading ...

Play interactive tourEdit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287990.exe

Overview

General Information

Sample Name:CN-Invoice-XXXXX9808-19011143287990.exe
Analysis ID:355838
MD5:a656f522f604872e02daee9dbc458d9c
SHA1:e463d219a1d4dbde375e4f53c2fc250d6ee9d7f1
SHA256:a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
Tags:exeFedExNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
System process connects to network (likely due to code injection or exploit)
Yara detected Nanocore RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • CN-Invoice-XXXXX9808-19011143287990.exe (PID: 5604 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)
    • powershell.exe (PID: 1552 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 5380 cmdline: 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6268 cmdline: 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /SpecialRun 4101d8 5380 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6552 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6752 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • CasPol.exe (PID: 7108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • WerFault.exe (PID: 6188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 2060 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 2564 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6356 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6364 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6484 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6508 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • svchost.exe (PID: 6700 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6772 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6944 cmdline: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)
      • powershell.exe (PID: 5584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • AdvancedRun.exe (PID: 844 cmdline: 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • svchost.exe (PID: 6964 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 7092 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 7152 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6172 cmdline: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)
  • svchost.exe (PID: 4568 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 4560 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6684 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x110c5:$x1: NanoCore.ClientPluginHost
  • 0x43ee5:$x1: NanoCore.ClientPluginHost
  • 0x76b05:$x1: NanoCore.ClientPluginHost
  • 0x11102:$x2: IClientNetworkHost
  • 0x43f22:$x2: IClientNetworkHost
  • 0x76b42:$x2: IClientNetworkHost
  • 0x14c35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x47a55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x7a675:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10e2d:$a: NanoCore
    • 0x10e3d:$a: NanoCore
    • 0x11071:$a: NanoCore
    • 0x11085:$a: NanoCore
    • 0x110c5:$a: NanoCore
    • 0x43c4d:$a: NanoCore
    • 0x43c5d:$a: NanoCore
    • 0x43e91:$a: NanoCore
    • 0x43ea5:$a: NanoCore
    • 0x43ee5:$a: NanoCore
    • 0x7686d:$a: NanoCore
    • 0x7687d:$a: NanoCore
    • 0x76ab1:$a: NanoCore
    • 0x76ac5:$a: NanoCore
    • 0x76b05:$a: NanoCore
    • 0x10e8c:$b: ClientPlugin
    • 0x1108e:$b: ClientPlugin
    • 0x110ce:$b: ClientPlugin
    • 0x43cac:$b: ClientPlugin
    • 0x43eae:$b: ClientPlugin
    • 0x43eee:$b: ClientPlugin
    Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb77275:$x1: NanoCore.ClientPluginHost
    • 0xb95f49:$x1: NanoCore.ClientPluginHost
    • 0xbb4b30:$x1: NanoCore.ClientPluginHost
    • 0xb772d6:$x2: IClientNetworkHost
    • 0xb95faa:$x2: IClientNetworkHost
    • 0xbb4b91:$x2: IClientNetworkHost
    • 0xb7c6db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xb8a64d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xb9b3af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xba9321:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xbb9f96:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xbc7f08:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 9 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 7108, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Executables Started in Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: Execution in Non-Executable FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: Suspicious Program Location Process StartsShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: System File Execution Location AnomalyShow sources
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeReversingLabs: Detection: 25%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeReversingLabs: Detection: 25%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeJoe Sandbox ML: detected

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbo source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: crypt32.pdbb440 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb>)^ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: .ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: ility.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: fwpuclnt.pdb\4B0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc.pdbZ4\0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb+_ source: WerFault.exe, 0000001E.00000003.353042308.00000000057F5000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbT3Zl source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: winnsi.pdb03 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: fltLib.pdbJ source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb= source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb@! source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: dwmapi.pdbF source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: i.pdb source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp
        Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: indows.Forms.pdb&& source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb@4V0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ility.pdbn source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdbX source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: ole32.pdbT source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: WWCN-Invoice-XXXXX9808-19011143287990.PDB[[ source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: combase.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: iVisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: System.Configuration.pdb`Q) source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb` source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbRSDSD source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: shell32.pdb, source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: rawing.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: rasman.pdbN4P0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: version.pdbz source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: Accessibility.pdb>)^ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: Accessibility.pdbT source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb* source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc6.pdb>3 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbgl source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: HcC:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.PDB4 source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe, 00000008.00000000.260198849.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000002.271092950.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.419368466.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.22.dr
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb?9W source: WerFault.exe, 0000001E.00000003.354208449.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdbL source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbows source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
        Source: Binary string: O.pdb? source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb| source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: oleaut32.pdbn source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: iertutil.pdbV4H0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: bcrypt.pdbv source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
        Source: Binary string: System.Drawing.pdb| source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.PDB source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: combase.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbgl0.Y source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbqR source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb@ source: WERCCD7.tmp.dmp.30.dr
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
        Source: global trafficTCP traffic: 192.168.2.5:49724 -> 185.192.70.170:50005
        Source: global trafficTCP traffic: 192.168.2.5:49739 -> 185.157.161.86:50005
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: Joe Sandbox ViewIP Address: 185.157.161.86 185.157.161.86
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.161.86
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
        Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/751448401274A413C5FF91CCBC4EFF60.html
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://ocsp.sectigo.com0
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
        Source: svchost.exe, 00000012.00000002.312067468.000001F773213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
        Source: AdvancedRun.exe, AdvancedRun.exe, 00000009.00000002.271092950.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.419368466.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.22.drString found in binary or memory: http://www.nirsoft.net/
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
        Source: svchost.exe, 00000012.00000003.310574824.000001F77325D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
        Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
        Source: svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
        Source: svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
        Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
        Source: svchost.exe, 00000012.00000003.310574824.000001F77325D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
        Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
        Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
        Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
        Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 00000012.00000003.288221774.000001F773232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: https://sectigo.com/CPS0C
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.drString found in binary or memory: https://sectigo.com/CPS0D
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
        Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.312067468.000001F773213000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
        Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
        Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
        Source: svchost.exe, 00000012.00000003.310709236.000001F773240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
        Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
        Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: CN-Invoice-XXXXX9808-19011143287990.exe
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08396890 NtSetInformationThread,0_2_08396890
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_0839F13B NtSetInformationThread,0_2_0839F13B
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_0839F198 NtSetInformationThread,0_2_0839F198
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BCF8C0_2_008BCF8C
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BCF800_2_008BCF80
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BF0300_2_008BF030
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BD3600_2_008BD360
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_008BB71C0_2_008BB71C
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_083700400_2_08370040
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08398EB00_2_08398EB0
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_083700160_2_08370016
        Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exeCode function: 0_2_08398EA10_2_08398EA1
        Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: svchost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534877445.0000000008320000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534877445.0000000008320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534487700.0000000008080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000000.221983662.000000000008A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWgjnHXED.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDXGI QpV.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.527751547.0000000005B50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: CN-Invoice-XXXXX9808-19011143287990.exeBinary or memory string: OriginalFilenameWgjnHXED.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe
        Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
        Source: CN-Invoice-XXXXX9808-19011143287990.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teac