Loading ...

Play interactive tourEdit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287989.exe

Overview

General Information

Sample Name:CN-Invoice-XXXXX9808-19011143287989.exe
Analysis ID:356721
MD5:e9cd061b2286d8098153c9d9e2ed0b4b
SHA1:e30565df7c0597a76857532e4ca7df6d2728e7b5
SHA256:520fae27134b14bb92d3858083c08496cee8b1c7631f0a374c5e168adfa799f2
Tags:exeNanoCoresigned
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
System process connects to network (likely due to code injection or exploit)
Yara detected Nanocore RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • CN-Invoice-XXXXX9808-19011143287989.exe (PID: 6200 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' MD5: E9CD061B2286D8098153C9D9E2ED0B4B)
    • powershell.exe (PID: 5864 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 744 cmdline: 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7016 cmdline: 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /SpecialRun 4101d8 744 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6992 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4780 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4240 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • CasPol.exe (PID: 4244 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 4928 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • WerFault.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2152 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 7132 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 7060 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6140 cmdline: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' MD5: E9CD061B2286D8098153C9D9E2ED0B4B)
  • svchost.exe (PID: 6020 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 4876 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 6180 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 3524 cmdline: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' MD5: E9CD061B2286D8098153C9D9E2ED0B4B)
      • powershell.exe (PID: 6996 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 7048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5800 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6200 -ip 6200 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "5c958888-f81c-42a4-939d-31983a2cd9ba", "Group": "wuzzy122", "Domain1": "185.157.160.233", "Domain2": "annapro.linkpc.net", "Port": 2212, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1056d:$x1: NanoCore.ClientPluginHost
  • 0x4338d:$x1: NanoCore.ClientPluginHost
  • 0x75fad:$x1: NanoCore.ClientPluginHost
  • 0x105aa:$x2: IClientNetworkHost
  • 0x433ca:$x2: IClientNetworkHost
  • 0x75fea:$x2: IClientNetworkHost
  • 0x140dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x46efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x79b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x102d5:$a: NanoCore
    • 0x102e5:$a: NanoCore
    • 0x10519:$a: NanoCore
    • 0x1052d:$a: NanoCore
    • 0x1056d:$a: NanoCore
    • 0x430f5:$a: NanoCore
    • 0x43105:$a: NanoCore
    • 0x43339:$a: NanoCore
    • 0x4334d:$a: NanoCore
    • 0x4338d:$a: NanoCore
    • 0x75d15:$a: NanoCore
    • 0x75d25:$a: NanoCore
    • 0x75f59:$a: NanoCore
    • 0x75f6d:$a: NanoCore
    • 0x75fad:$a: NanoCore
    • 0x10334:$b: ClientPlugin
    • 0x10536:$b: ClientPlugin
    • 0x10576:$b: ClientPlugin
    • 0x43154:$b: ClientPlugin
    • 0x43356:$b: ClientPlugin
    • 0x43396:$b: ClientPlugin
    00000019.00000002.948080441.0000000003121000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        22.2.svchost.exe.532d6f8.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x42dad:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x42dea:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        • 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 61 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Executables Started in Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140
        Sigma detected: Execution in Non-Executable FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140
        Sigma detected: Suspicious Program Location Process StartsShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140
        Sigma detected: System File Execution Location AnomalyShow sources
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "5c958888-f81c-42a4-939d-31983a2cd9ba", "Group": "wuzzy122", "Domain1": "185.157.160.233", "Domain2": "annapro.linkpc.net", "Port": 2212, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exeReversingLabs: Detection: 27%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeReversingLabs: Detection: 27%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.948080441.0000000003121000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.CasPol.exe.5840000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.CasPol.exe.41745a5.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.CasPol.exe.5844629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.CasPol.exe.5840000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.CasPol.exe.416ff7c.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.CasPol.exe.416ff7c.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeJoe Sandbox ML: detected
        Source: 25.2.CasPol.exe.5840000.9.unpackAvira: Label: TR/NanoCore.fadte

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: CN-Invoice-XXXXX9808-19011143287989.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: \??\C:\Windows\mscorlib.pdb( source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
        Source: Binary string: .pdb> source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InprocHandler32 source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
        Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, AdvancedRun.exe, 00000007.00000000.684807713.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000008.00000000.689085793.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp
        Source: Binary string: npMiVisualBasic.pdbT]_ source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
        Source: Binary string: CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968675958.0000000006138000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb2F source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb00 source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 185.157.160.233
        Source: Malware configuration extractorURLs: annapro.linkpc.net
        Source: global trafficTCP traffic: 192.168.2.4:49754 -> 185.157.160.233:2212
        Source: global trafficTCP traffic: 192.168.2.4:49778 -> 105.112.108.188:2212
        Source: global trafficHTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
        Source: Joe Sandbox ViewIP Address: 185.157.160.233 185.157.160.233
        Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
        Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: global trafficHTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
        Source: global trafficHTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
        Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/A665A0731C4748264DB5C2625CAB61D4.html
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/EFDD2E5486C74022C50C219C9576AB0D.html
        Source: powershell.exe, 00000005.00000003.689761499.00000000027E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: powershell.exe, 00000005.00000003.808326949.0000000008D9E000.00000004.00000001.sdmpString found in binary or memory: http://crl.micros
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
        Source: powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 0000000C.00000002.947749915.00000000049AE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.946142448.0000000004871000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 0000000C.00000002.947749915.00000000049AE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: AdvancedRun.exe, AdvancedRun.exe, 00000008.00000000.689085793.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
        Source: powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000005.00000003.689873810.000000000734E000.00000004.00000001.sdmpString found in binary or memory: https://go.mic
        Source: powershell.exe, 00000005.00000003.782717627.0000000004C23000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0C
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
        Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0