Play interactive tour

Edit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287990.exe

Overview

General Information

Sample Name:	CN-Invoice-XXXXX9808-19011143287990.exe
Analysis ID:	355838
MD5:	a656f522f604872e02daee9dbc458d9c
SHA1:	e463d219a1d4dbde375e4f53c2fc250d6ee9d7f1
SHA256:	a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
Tags:	exeFedExNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

System process connects to network (likely due to code injection or exploit)

Yara detected Nanocore RAT

Adds a directory exclusion to Windows Defender

Binary contains a suspicious time stamp

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to hide a thread from the debugger

Drops PE files with benign system names

Executable has a suspicious name (potential lure to open the executable)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Tries to delay execution (extensive OutputDebugStringW loop)

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

CN-Invoice-XXXXX9808-19011143287990.exe (PID: 5604 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)

powershell.exe (PID: 1552 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AdvancedRun.exe (PID: 5380 cmdline: 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

AdvancedRun.exe (PID: 6268 cmdline: 'C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe' /SpecialRun 4101d8 5380 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

powershell.exe (PID: 6496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6552 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6752 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

CasPol.exe (PID: 7108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

WerFault.exe (PID: 6188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 2060 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 2564 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6356 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6364 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6484 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 6508 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6700 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 6772 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6944 cmdline: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)

powershell.exe (PID: 5584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AdvancedRun.exe (PID: 844 cmdline: 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\aae7ea5f-d28c-4ac0-af33-beecd9bd44c7\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

svchost.exe (PID: 6964 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 7092 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 7152 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6172 cmdline: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' MD5: A656F522F604872E02DAEE9DBC458D9C)

svchost.exe (PID: 4568 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 4560 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 4528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6684 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x110c5:$x1: NanoCore.ClientPluginHost 0x43ee5:$x1: NanoCore.ClientPluginHost 0x76b05:$x1: NanoCore.ClientPluginHost 0x11102:$x2: IClientNetworkHost 0x43f22:$x2: IClientNetworkHost 0x76b42:$x2: IClientNetworkHost 0x14c35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47a55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a675:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10e2d:$a: NanoCore 0x10e3d:$a: NanoCore 0x11071:$a: NanoCore 0x11085:$a: NanoCore 0x110c5:$a: NanoCore 0x43c4d:$a: NanoCore 0x43c5d:$a: NanoCore 0x43e91:$a: NanoCore 0x43ea5:$a: NanoCore 0x43ee5:$a: NanoCore 0x7686d:$a: NanoCore 0x7687d:$a: NanoCore 0x76ab1:$a: NanoCore 0x76ac5:$a: NanoCore 0x76b05:$a: NanoCore 0x10e8c:$b: ClientPlugin 0x1108e:$b: ClientPlugin 0x110ce:$b: ClientPlugin 0x43cac:$b: ClientPlugin 0x43eae:$b: ClientPlugin 0x43eee:$b: ClientPlugin
Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb77275:$x1: NanoCore.ClientPluginHost 0xb95f49:$x1: NanoCore.ClientPluginHost 0xbb4b30:$x1: NanoCore.ClientPluginHost 0xb772d6:$x2: IClientNetworkHost 0xb95faa:$x2: IClientNetworkHost 0xbb4b91:$x2: IClientNetworkHost 0xb7c6db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb8a64d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb9b3af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xba9321:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbb9f96:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbc7f08:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb76d7a:$a: NanoCore 0xb76d96:$a: NanoCore 0xb76ef1:$a: NanoCore 0xb76f00:$a: NanoCore 0xb771d9:$a: NanoCore 0xb77205:$a: NanoCore 0xb77275:$a: NanoCore 0xb86cb7:$a: NanoCore 0xb86cc9:$a: NanoCore 0xb86d05:$a: NanoCore 0xb95a4e:$a: NanoCore 0xb95a6a:$a: NanoCore 0xb95bc5:$a: NanoCore 0xb95bd4:$a: NanoCore 0xb95ead:$a: NanoCore 0xb95ed9:$a: NanoCore 0xb95f49:$a: NanoCore 0xba598b:$a: NanoCore 0xba599d:$a: NanoCore 0xba59d9:$a: NanoCore 0xbb4635:$a: NanoCore
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x75bcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x75c0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7973d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0x75935:$a: NanoCore 0x75945:$a: NanoCore 0x75b79:$a: NanoCore 0x75b8d:$a: NanoCore 0x75bcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x436a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 9 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 7108, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, NewProcessName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, OriginalFileName: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6772, ProcessCommandLine: 'C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe' , ProcessId: 6944

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Show sources

Source: CN-Invoice-XXXXX9808-19011143287990.exe

ReversingLabs: Detection: 25%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\Documents\FaSHxnwjRFVyhBDRxvFVzLZ\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: CN-Invoice-XXXXX9808-19011143287990.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: CN-Invoice-XXXXX9808-19011143287990.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: CN-Invoice-XXXXX9808-19011143287990.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbo source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdbb440 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb>)^ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: fwpuclnt.pdb\4B0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdbZ4\0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb+_ source: WerFault.exe, 0000001E.00000003.353042308.00000000057F5000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3Zl source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: winnsi.pdb03 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbJ source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb= source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb@! source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdbF source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: indows.Forms.pdb&& source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb@4V0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: ility.pdbn source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbR source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdbX source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: ole32.pdbT source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: WWCN-Invoice-XXXXX9808-19011143287990.PDB[[ source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: combase.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
Source:	Binary string: iVisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: System.Configuration.pdb`Q) source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb` source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: shell32.pdb, source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: rasman.pdbN4P0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
Source:	Binary string: version.pdbz source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: Accessibility.pdb>)^ source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbT source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb* source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb>3 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbgl source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: HcC:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.PDB4 source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe, 00000008.00000000.260198849.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000002.271092950.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.419368466.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.22.dr
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb?9W source: WerFault.exe, 0000001E.00000003.354208449.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbL source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbows source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534442041.0000000007F9F000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 0000001E.00000003.353674656.00000000057FC000.00000004.00000001.sdmp
Source:	Binary string: O.pdb? source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb\| source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: oleaut32.pdbn source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: iertutil.pdbV4H0 source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001E.00000003.354144153.00000000057E0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbv source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000001E.00000003.353447648.0000000005681000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdb\| source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.PDB source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.460006260.00000000004F8000.00000004.00000010.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000001E.00000003.353586234.0000000005698000.00000004.00000001.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001E.00000002.453753252.00000000059A0000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000001E.00000003.352878832.00000000057E2000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000001E.00000003.352965020.00000000057EA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbgl0.Y source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbqR source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534358038.0000000007F80000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb@ source: WERCCD7.tmp.dmp.30.dr
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp, WERCCD7.tmp.dmp.30.dr
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000001E.00000003.352772187.00000000057EE000.00000004.00000040.sdmp

Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 185.192.70.170:50005
Source: global traffic	TCP traffic: 192.168.2.5:49739 -> 185.157.161.86:50005

Source: global traffic	HTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com

Source: Joe Sandbox View

IP Address: 185.157.161.86 185.157.161.86

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.161.86

Source: global traffic	HTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/751448401274A413C5FF91CCBC4EFF60.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/95912DAC735F7FBEA8150232E35CAF73.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/84D1B49C9212CA5D522F0AF86A906727.html HTTP/1.1Host: coroloboxorozor.com

Source: unknown

DNS traffic detected: queries for: coroloboxorozor.com

Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/751448401274A413C5FF91CCBC4EFF60.html
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.471272964.0000000002471000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000001E.00000003.345409871.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: svchost.exe, 00000012.00000002.312067468.000001F773213000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: AdvancedRun.exe, AdvancedRun.exe, 00000009.00000002.271092950.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000027.00000000.419368466.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.22.dr	String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000012.00000003.310574824.000001F77325D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000012.00000003.310574824.000001F77325D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000012.00000002.312356651.000001F77325A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.310849812.000001F773241000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000012.00000003.310473925.000001F773260000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000012.00000003.288221774.000001F773232000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.22.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000012.00000002.312247860.000001F77323D000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.312067468.000001F773213000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000012.00000003.310709236.000001F773240000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000012.00000003.310807979.000001F773244000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000012.00000002.312327948.000001F77324F000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: CN-Invoice-XXXXX9808-19011143287990.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: CN-Invoice-XXXXX9808-19011143287990.exe

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_08396890 NtSetInformationThread,	0_2_08396890
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_0839F13B NtSetInformationThread,	0_2_0839F13B
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_0839F198 NtSetInformationThread,	0_2_0839F198

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_008BCF8C	0_2_008BCF8C
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_008BCF80	0_2_008BCF80
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_008BF030	0_2_008BF030
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_008BD360	0_2_008BD360
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_008BB71C	0_2_008BB71C
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_08370040	0_2_08370040
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_08398EB0	0_2_08398EB0
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_08370016	0_2_08370016
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287990.exe	Code function: 0_2_08398EA1	0_2_08398EA1

Source: C:\Users\user\AppData\Local\Temp\1481353f-436c-4b98-9136-3fbe69a7e8b4\AdvancedRun.exe

Code function: String function: 0040B550 appears 50 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5604 -ip 5604

Source: CN-Invoice-XXXXX9808-19011143287990.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534877445.0000000008320000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534877445.0000000008320000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.534487700.0000000008080000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000000.221983662.000000000008A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWgjnHXED.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp	Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.519819343.0000000003659000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDXGI QpV.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe, 00000000.00000002.527751547.0000000005B50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs CN-Invoice-XXXXX9808-19011143287990.exe
Source: CN-Invoice-XXXXX9808-19011143287990.exe	Binary or memory string: OriginalFilenameWgjnHXED.exe2 vs CN-Invoice-XXXXX9808-19011143287990.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: CN-Invoice-XXXXX9808-19011143287990.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.521351923.0000000003A25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287990.exe PID: 5604, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a25f38.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287990.exe.3a58d58.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teac

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CN-Invoice-XXXXX9808-19011143287990.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary: