Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ORDER.exe

Overview

General Information

Sample Name:ORDER.exe
Analysis ID:433263
MD5:425f6b1e9437b1f1db352d1393d236d5
SHA1:65cf68fdda68b0327d51b7e3989afaa2258d4c6d
SHA256:cfb1e4b65fc8e0d9ca698ab5e67fc77735880b8439a6f4ee4e48be06ca631dc2
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ORDER.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\ORDER.exe' MD5: 425F6B1E9437B1F1DB352D1393D236D5)
    • schtasks.exe (PID: 6920 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A1C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ORDER.exe (PID: 7148 cmdline: {path} MD5: 425F6B1E9437B1F1DB352D1393D236D5)
      • schtasks.exe (PID: 4388 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp777A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ORDER.exe (PID: 6044 cmdline: C:\Users\user\Desktop\ORDER.exe 0 MD5: 425F6B1E9437B1F1DB352D1393D236D5)
    • schtasks.exe (PID: 7116 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE00.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ORDER.exe (PID: 4480 cmdline: {path} MD5: 425F6B1E9437B1F1DB352D1393D236D5)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "30b6fbac-dd0d-47bd-b8ab-6df66b01", "Group": "Default", "Domain1": "kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu", "Domain2": "", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x116d1d:$x1: NanoCore.ClientPluginHost
    • 0x14973d:$x1: NanoCore.ClientPluginHost
    • 0x116d5a:$x2: IClientNetworkHost
    • 0x14977a:$x2: IClientNetworkHost
    • 0x11a88d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x14d2ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 44 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      24.2.ORDER.exe.2b93884.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      24.2.ORDER.exe.2b93884.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      16.2.ORDER.exe.3e07b90.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      16.2.ORDER.exe.3e07b90.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      16.2.ORDER.exe.3e07b90.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 82 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER.exe, ProcessId: 7148, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER.exe, ProcessId: 7148, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER.exe, ProcessId: 7148, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER.exe, ProcessId: 7148, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "30b6fbac-dd0d-47bd-b8ab-6df66b01", "Group": "Default", "Domain1": "kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu", "Domain2": "", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Odstcl.exeReversingLabs: Detection: 45%
        Multi AV Scanner detection for submitted fileShow sources
        Source: ORDER.exeVirustotal: Detection: 33%Perma Link
        Source: ORDER.exeReversingLabs: Detection: 45%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 4480, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 7148, type: MEMORY
        Source: Yara matchFile source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bbeb0c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bbeb0c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d1eb0c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d23135.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bc3135.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d1eb0c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3ec1978.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3e35f68.3.raw.unpack, type: UNPACKEDPE
        Source: 24.2.ORDER.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 24.0.ORDER.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.0.ORDER.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 24.0.ORDER.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.0.ORDER.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.2.ORDER.exe.59c0000.11.unpackAvira: Label: TR/NanoCore.fadte
        Source: 13.2.ORDER.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: ORDER.exe, 00000001.00000002.738501405.0000000006650000.00000002.00000001.sdmp, ORDER.exe, 0000000D.00000002.910515299.00000000055A0000.00000002.00000001.sdmp, ORDER.exe, 00000010.00000002.817531838.0000000006370000.00000002.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu
        Source: global trafficTCP traffic: 192.168.2.4:49760 -> 185.140.53.135:1187
        Source: Joe Sandbox ViewIP Address: 185.140.53.135 185.140.53.135
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu
        Source: ORDER.exe, 00000001.00000003.640616008.0000000000F8D000.00000004.00000001.sdmpString found in binary or memory: http://en.wI
        Source: ORDER.exe, 00000001.00000003.641053984.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://en.wa
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: ORDER.exe, 00000001.00000003.644894489.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: ORDER.exe, 00000001.00000003.644749277.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
        Source: ORDER.exe, 00000001.00000003.644894489.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC3
        Source: ORDER.exe, 00000001.00000003.644669004.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
        Source: ORDER.exe, 00000001.00000003.644792909.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgne
        Source: ORDER.exe, 00000001.00000003.644669004.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: ORDER.exe, 00000001.00000003.644792909.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnewk
        Source: ORDER.exe, 00000001.00000003.644669004.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comona
        Source: ORDER.exe, 00000001.00000003.644669004.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtal
        Source: ORDER.exe, 00000001.00000003.644894489.000000000509E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: ORDER.exe, 00000001.00000003.728655998.0000000005060000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com(G
        Source: ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: ORDER.exe, 00000001.00000003.648432320.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.649010830.0000000005099000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: ORDER.exe, 00000001.00000003.648728149.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: ORDER.exe, 00000001.00000003.649737674.0000000005095000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersD
        Source: ORDER.exe, 00000001.00000003.648477020.0000000005099000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: ORDER.exe, 00000001.00000003.649531830.0000000005095000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
        Source: ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com9
        Source: ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF(G
        Source: ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalicLG$
        Source: ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
        Source: ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsadF
        Source: ORDER.exe, 00000001.00000003.728655998.0000000005060000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
        Source: ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlic
        Source: ORDER.exe, 00000001.00000003.728655998.0000000005060000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuec:G~
        Source: ORDER.exe, 00000001.00000003.641053984.000000000507B000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: ORDER.exe, 00000001.00000003.641053984.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
        Source: ORDER.exe, 00000001.00000003.641080097.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
        Source: ORDER.exe, 00000001.00000003.641080097.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comro
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.644123942.0000000005064000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.644069423.000000000509D000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: ORDER.exe, 00000001.00000003.644329844.0000000005064000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/c
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: ORDER.exe, 00000001.00000003.644399534.000000000506B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cngH
        Source: ORDER.exe, 00000001.00000003.644069423.000000000509D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-c
        Source: ORDER.exe, 00000001.00000003.644069423.000000000509D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-p
        Source: ORDER.exe, 00000001.00000003.651124405.000000000506D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: ORDER.exe, 00000001.00000003.641053984.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com-d
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: ORDER.exe, 00000001.00000003.642523808.0000000005069000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: ORDER.exe, 00000001.00000003.642523808.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr2Dq
        Source: ORDER.exe, 00000001.00000003.642523808.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr;D~
        Source: ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: ORDER.exe, 00000001.00000003.641383898.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comFTd
        Source: ORDER.exe, 00000001.00000003.641383898.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comMd
        Source: ORDER.exe, 00000001.00000003.641327316.000000000507B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn7dc
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: ORDER.exe, 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 4480, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 7148, type: MEMORY
        Source: Yara matchFile source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bbeb0c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bbeb0c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d1eb0c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d23135.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bc3135.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d1eb0c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3ec1978.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3e35f68.3.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.910722949.0000000005600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: ORDER.exe PID: 4480, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: ORDER.exe PID: 4480, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: ORDER.exe PID: 7148, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: ORDER.exe PID: 7148, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.ORDER.exe.2b93884.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.ORDER.exe.59c4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.ORDER.exe.59c0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.ORDER.exe.5600000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.ORDER.exe.3bbeb0c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.ORDER.exe.3bbeb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.ORDER.exe.59c0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.ORDER.exe.3d1eb0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.ORDER.exe.3d23135.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.ORDER.exe.3bc3135.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.ORDER.exe.2ce1648.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.ORDER.exe.3d1eb0c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.ORDER.exe.3ec1978.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.ORDER.exe.3ec1978.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.ORDER.exe.3e35f68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.ORDER.exe.3e35f68.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        .NET source code contains very large stringsShow sources
        Source: ORDER.exe, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: Odstcl.exe.1.dr, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 1.0.ORDER.exe.470000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 1.2.ORDER.exe.470000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 13.0.ORDER.exe.690000.2.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 13.0.ORDER.exe.690000.4.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 13.2.ORDER.exe.690000.1.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 13.0.ORDER.exe.690000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 16.2.ORDER.exe.590000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 16.0.ORDER.exe.590000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Source: 24.0.ORDER.exe.550000.4.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: ORDER.exe
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04FE152A NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04FE14EF NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_00BE2477
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB20B8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBC9C0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB0180
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB56A0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB3678
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB3E28
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB47C1
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBBB80
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBC720
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB2731
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBB48E
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBA480
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBB490
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB20A9
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBC4A8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB70B8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB7860
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB7870
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB9C00
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB89C8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB75F9
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBC9B0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB0170
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBA504
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB568B
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB365B
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB9E51
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB9E60
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB7608
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB7A11
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB6E20
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB6E30
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB73E0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB9BF1
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB73F0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB8F98
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB8F5B
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBA76A
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB9768
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CBBB7B
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB9778
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB2B78
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04ECB0A0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC3850
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC86B8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC92B8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC2FA8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC23A0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC306F
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC95CB
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC9B60
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04EC937F
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D3678
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D3E30
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DC6B0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D56A0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D2740
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DBB00
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D47D0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D20B8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DC940
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D0180
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D9E60
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D9E51
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D6E30
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D7A20
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D6E20
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D3E23
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D7A11
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D3609
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D7608
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DBAF0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DAACF
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DC6A0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D5687
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D9778
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D2B73
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D9768
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DA76A
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D8F41
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D9BF1
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D73F0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D73E0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D47C3
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D8F98
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D2B80
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D7870
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D7860
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D8448
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DC438
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DC428
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DA418
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D9C00
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D70C8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D70B8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D20A9
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DB490
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DB48B
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DA480
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D0170
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DC930
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027DA504
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D75F9
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D3DE0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D35D8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D89C8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D89C1
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 16_2_027D55A0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 24_2_04DB2FA8
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 24_2_04DB23A0
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 24_2_04DB3850
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 24_2_04DB306F
        Source: ORDER.exeBinary or memory string: OriginalFilename vs ORDER.exe
        Source: ORDER.exe, 00000001.00000000.639462168.0000000000472000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCEXv.exeF vs ORDER.exe
        Source: ORDER.exe, 00000001.00000002.738501405.0000000006650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER.exe
        Source: ORDER.exe, 00000001.00000002.738764924.0000000006870000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER.exe
        Source: ORDER.exe, 00000001.00000002.735079668.0000000005000000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs ORDER.exe
        Source: ORDER.exe, 00000001.00000002.739147705.0000000006B30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDER.exe
        Source: ORDER.exe, 00000001.00000002.739147705.0000000006B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER.exe
        Source: ORDER.exe, 00000001.00000002.739054988.0000000006AD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDER.exe
        Source: ORDER.exeBinary or memory string: OriginalFilename vs ORDER.exe
        Source: ORDER.exe, 0000000D.00000002.910993960.00000000059B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs ORDER.exe
        Source: ORDER.exe, 0000000D.00000002.907073021.0000000000692000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCEXv.exeF vs ORDER.exe
        Source: ORDER.exe, 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs ORDER.exe
        Source: ORDER.exe, 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs ORDER.exe
        Source: ORDER.exe, 0000000D.00000002.910515299.00000000055A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER.exe
        Source: ORDER.exe, 0000000D.00000002.911600537.0000000006270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ORDER.exe
        Source: ORDER.exe, 0000000D.00000002.909926045.0000000004FD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ORDER.exe
        Source: ORDER.exeBinary or memory string: OriginalFilename vs ORDER.exe
        Source: ORDER.exe, 00000010.00000002.817531838.0000000006370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER.exe
        Source: ORDER.exe, 00000010.00000002.810578210.0000000000592000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCEXv.exeF vs ORDER.exe
        Source: ORDER.exe, 00000010.00000002.816032614.00000000051A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs ORDER.exe
        Source: ORDER.exe, 00000010.00000002.818255998.0000000006830000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDER.exe
        Source: ORDER.exe, 00000010.00000002.818255998.0000000006830000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER.exe
        Source: ORDER.exe, 00000010.00000002.818162192.00000000067D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDER.exe
        Source: ORDER.exe, 00000010.00000002.815401049.0000000003EB7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER.exe
        Source: ORDER.exe, 00000010.00000002.811501603.0000000000C5A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs ORDER.exe
        Source: ORDER.exeBinary or memory string: OriginalFilename vs ORDER.exe
        Source: ORDER.exe, 00000018.00000000.809641342.0000000000552000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCEXv.exeF vs ORDER.exe
        Source: ORDER.exe, 00000018.00000002.826634288.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ORDER.exe
        Source: ORDER.exe, 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs ORDER.exe
        Source: ORDER.exe, 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs ORDER.exe
        Source: ORDER.exe, 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs ORDER.exe
        Source: ORDER.exeBinary or memory string: OriginalFilenameCEXv.exeF vs ORDER.exe
        Source: ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.910722949.0000000005600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.910722949.0000000005600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: ORDER.exe PID: 4480, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: ORDER.exe PID: 4480, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: ORDER.exe PID: 7148, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: ORDER.exe PID: 7148, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.ORDER.exe.2b93884.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.ORDER.exe.2b93884.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.ORDER.exe.59c4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.59c4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.ORDER.exe.59c0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.59c0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.ORDER.exe.5600000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.5600000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.ORDER.exe.3bbeb0c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.ORDER.exe.3bbeb0c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.ORDER.exe.3bbeb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.ORDER.exe.3bbeb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.ORDER.exe.59c0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.59c0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.ORDER.exe.3d1eb0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.3d1eb0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.ORDER.exe.3d23135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.3d23135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.ORDER.exe.3bc3135.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.ORDER.exe.3bc3135.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.ORDER.exe.2ce1648.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.2ce1648.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.ORDER.exe.3d1eb0c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.ORDER.exe.3d1eb0c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.ORDER.exe.3ec1978.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.ORDER.exe.3ec1978.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.ORDER.exe.3e35f68.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.ORDER.exe.3e35f68.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: Odstcl.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: ORDER.exe, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: Odstcl.exe.1.dr, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.0.ORDER.exe.470000.0.unpack, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.ORDER.exe.470000.0.unpack, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 13.0.ORDER.exe.690000.2.unpack, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 13.0.ORDER.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 24.2.ORDER.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 24.2.ORDER.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 13.0.ORDER.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 13.0.ORDER.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 24.0.ORDER.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 24.0.ORDER.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 13.0.ORDER.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 13.0.ORDER.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 13.2.ORDER.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 13.2.ORDER.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 24.0.ORDER.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 24.0.ORDER.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@16/2
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04FE12EA AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04FE12B3 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Roaming\Odstcl.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
        Source: C:\Users\user\Desktop\ORDER.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\ORDER.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{30b6fbac-dd0d-47bd-b8ab-6df66b017896}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
        Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6A1C.tmpJump to behavior
        Source: ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: ORDER.exeVirustotal: Detection: 33%
        Source: ORDER.exeReversingLabs: Detection: 45%
        Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Users\user\Desktop\ORDER.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\ORDER.exe 'C:\Users\user\Desktop\ORDER.exe'
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A1C.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp777A.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\ORDER.exe C:\Users\user\Desktop\ORDER.exe 0
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE00.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A1C.tmp'
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp777A.tmp'
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE00.tmp'
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}
        Source: C:\Users\user\Desktop\ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: ORDER.exe, 00000001.00000002.738501405.0000000006650000.00000002.00000001.sdmp, ORDER.exe, 0000000D.00000002.910515299.00000000055A0000.00000002.00000001.sdmp, ORDER.exe, 00000010.00000002.817531838.0000000006370000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains method to dynamically call methods (often used by packers)Show sources
        Source: ORDER.exe, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: Odstcl.exe.1.dr, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 1.0.ORDER.exe.470000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 1.2.ORDER.exe.470000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 13.0.ORDER.exe.690000.2.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 13.0.ORDER.exe.690000.4.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 13.2.ORDER.exe.690000.1.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 13.0.ORDER.exe.690000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 16.2.ORDER.exe.590000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 16.0.ORDER.exe.590000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 24.0.ORDER.exe.550000.4.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
        .NET source code contains potential unpackerShow sources
        Source: 13.0.ORDER.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.0.ORDER.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.0.ORDER.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.0.ORDER.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.2.ORDER.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.2.ORDER.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 24.2.ORDER.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 24.2.ORDER.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 24.0.ORDER.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 24.0.ORDER.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 24.0.ORDER.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 24.0.ORDER.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55CB push esp; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55C7 push eax; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55DB push ecx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55D7 push eax; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55EB push ebx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55E7 push ebx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55F3 push ebx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55AB push edx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55AF push ecx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55A3 push esp; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55A7 push eax; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55BB push eax; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB55B3 push ebp; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5683 push eax; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5687 push edx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB564B push esp; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB564F push ebx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5647 push edx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB565B push esp; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB565F push edx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5653 push esp; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5663 push edx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5667 push ebx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB567B push esp; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5673 push ecx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5607 push edx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5617 push edx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB562B push ebp; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5627 push ecx; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 1_2_04CB5633 push eax; retf
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_027A9D58 pushad ; retf
        Source: initial sampleStatic PE information: section name: .text entropy: 7.72970366103
        Source: initial sampleStatic PE information: section name: .text entropy: 7.72970366103
        Source: 13.0.ORDER.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 13.0.ORDER.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 13.0.ORDER.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 13.0.ORDER.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 13.2.ORDER.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 13.2.ORDER.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 24.2.ORDER.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 24.2.ORDER.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 24.0.ORDER.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 24.0.ORDER.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 24.0.ORDER.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 24.0.ORDER.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Roaming\Odstcl.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A1C.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Users\user\Desktop\ORDER.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 6044, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: ORDER.exe, 00000001.00000002.730698080.0000000002BA2000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: ORDER.exe, 00000001.00000002.730698080.0000000002BA2000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\ORDER.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\ORDER.exeWindow / User API: foregroundWindowGot 724
        Source: C:\Users\user\Desktop\ORDER.exe TID: 7028Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\ORDER.exe TID: 404Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\ORDER.exe TID: 404Thread sleep count: 151 > 30
        Source: C:\Users\user\Desktop\ORDER.exe TID: 404Thread sleep count: 141 > 30
        Source: C:\Users\user\Desktop\ORDER.exe TID: 816Thread sleep count: 128 > 30
        Source: C:\Users\user\Desktop\ORDER.exe TID: 404Thread sleep count: 47 > 30
        Source: C:\Users\user\Desktop\ORDER.exe TID: 1316Thread sleep count: 36 > 30
        Source: C:\Users\user\Desktop\ORDER.exe TID: 1316Thread sleep time: -720000s >= -30000s
        Source: C:\Users\user\Desktop\ORDER.exe TID: 4620Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\ORDER.exe TID: 4604Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04FE1012 GetSystemInfo,
        Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\ORDER.exeThread delayed: delay time: 922337203685477
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
        Source: ORDER.exe, 0000000D.00000002.911600537.0000000006270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: ORDER.exe, 0000000D.00000002.911600537.0000000006270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: ORDER.exe, 0000000D.00000002.911600537.0000000006270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: ORDER.exe, 00000010.00000002.813220152.0000000002D32000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: ORDER.exe, 0000000D.00000002.911600537.0000000006270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\ORDER.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\ORDER.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\ORDER.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\ORDER.exeMemory written: C:\Users\user\Desktop\ORDER.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\ORDER.exeMemory written: C:\Users\user\Desktop\ORDER.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A1C.tmp'
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp777A.tmp'
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE00.tmp'
        Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}
        Source: ORDER.exe, 0000000D.00000002.908970440.0000000002D24000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: ORDER.exe, 0000000D.00000002.907813908.0000000001350000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: ORDER.exe, 0000000D.00000002.907813908.0000000001350000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: ORDER.exe, 0000000D.00000002.907813908.0000000001350000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 4480, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 7148, type: MEMORY
        Source: Yara matchFile source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bbeb0c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bbeb0c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d1eb0c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d23135.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bc3135.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d1eb0c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3ec1978.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3e35f68.3.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: ORDER.exe, 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: ORDER.exe, 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: ORDER.exe, 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: ORDER.exe, 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: ORDER.exe, 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 6952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 4480, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ORDER.exe PID: 7148, type: MEMORY
        Source: Yara matchFile source: 16.2.ORDER.exe.3e07b90.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3c77b90.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bb9cd6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3c77b90.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bbeb0c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.ORDER.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bbeb0c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.59c0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d1eb0c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.ORDER.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d23135.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.ORDER.exe.3bc3135.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d19cd6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.ORDER.exe.3d1eb0c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3ec1978.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.ORDER.exe.3e07b90.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.ORDER.exe.3e35f68.3.raw.unpack, type: UNPACKEDPE
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04FE283A bind,
        Source: C:\Users\user\Desktop\ORDER.exeCode function: 13_2_04FE27E8 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading1Input Capture11Security Software Discovery211Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing23/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433263 Sample: ORDER.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 42 kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu 2->42 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 11 other signatures 2->56 9 ORDER.exe 6 2->9         started        13 ORDER.exe 4 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\Odstcl.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\tmp6A1C.tmp, XML 9->38 dropped 40 C:\Users\user\AppData\Local\...\ORDER.exe.log, ASCII 9->40 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 9->58 60 Injects a PE file into a foreign processes 9->60 15 ORDER.exe 10 9->15         started        20 schtasks.exe 1 9->20         started        22 schtasks.exe 1 13->22         started        24 ORDER.exe 2 13->24         started        signatures6 process7 dnsIp8 44 kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu 185.140.53.135, 1187, 49760, 49762 DAVID_CRAIGGG Sweden 15->44 46 192.168.2.1 unknown unknown 15->46 34 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 15->34 dropped 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->48 26 schtasks.exe 1 15->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file9 signatures10 process11 process12 32 conhost.exe 26->32         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        ORDER.exe33%VirustotalBrowse
        ORDER.exe46%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Odstcl.exe46%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        24.2.ORDER.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        24.0.ORDER.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.0.ORDER.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        24.0.ORDER.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.0.ORDER.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.2.ORDER.exe.59c0000.11.unpack100%AviraTR/NanoCore.fadteDownload File
        13.2.ORDER.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu2%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://en.wI0%Avira URL Cloudsafe
        http://www.fonts.comro0%Avira URL Cloudsafe
        http://www.sandoll.co.kr2Dq0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.comMd0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.fontbureau.comalsF0%URL Reputationsafe
        http://www.fontbureau.comalsF0%URL Reputationsafe
        http://www.fontbureau.comalsF0%URL Reputationsafe
        http://www.founder.com.cn/cngH0%Avira URL Cloudsafe
        http://en.wa0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.carterandcone.comC0%URL Reputationsafe
        http://www.carterandcone.comC0%URL Reputationsafe
        http://www.carterandcone.comC0%URL Reputationsafe
        http://www.founder.com.cn/cn/c0%Avira URL Cloudsafe
        http://www.fonts.comn0%URL Reputationsafe
        http://www.fonts.comn0%URL Reputationsafe
        http://www.fonts.comn0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.fontbureau.com90%Avira URL Cloudsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.fontbureau.com(G0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnt-p0%Avira URL Cloudsafe
        http://www.carterandcone.comtal0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.carterandcone.comTC30%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.fontbureau.comF(G0%Avira URL Cloudsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.carterandcone.comnewk0%Avira URL Cloudsafe
        http://www.fontbureau.comalicLG$0%Avira URL Cloudsafe
        http://www.carterandcone.comexc0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.sandoll.co.kr;D~0%Avira URL Cloudsafe
        http://www.fontbureau.comlic0%Avira URL Cloudsafe
        http://www.sajatypeworks.com-d0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.founder.com.cn/cns-c0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.tiro.comFTd0%Avira URL Cloudsafe
        http://www.carterandcone.comhly0%Avira URL Cloudsafe
        http://www.carterandcone.comy0%URL Reputationsafe
        http://www.carterandcone.comy0%URL Reputationsafe
        http://www.carterandcone.comy0%URL Reputationsafe
        http://www.fontbureau.comuec:G~0%Avira URL Cloudsafe
        kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.carterandcone.comona0%Avira URL Cloudsafe
        http://www.tiro.comn7dc0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu
        		185.140.53.135
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        		low
        kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eutrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersGORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designersFORDER.exe, 00000001.00000003.648477020.0000000005099000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://en.wIORDER.exe, 00000001.00000003.640616008.0000000000F8D000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fonts.comroORDER.exe, 00000001.00000003.641080097.000000000507B000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.sandoll.co.kr2DqORDER.exe, 00000001.00000003.642523808.0000000005069000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers?ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersDORDER.exe, 00000001.00000003.649737674.0000000005095000.00000004.00000001.sdmpfalse
                  		high
                  http://www.tiro.comORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.tiro.comMdORDER.exe, 00000001.00000003.641383898.000000000507B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comORDER.exe, 00000001.00000003.644894489.000000000509E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comalsFORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cngHORDER.exe, 00000001.00000003.644399534.000000000506B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://en.waORDER.exe, 00000001.00000003.641053984.000000000507B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comCORDER.exe, 00000001.00000003.644749277.000000000509E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cORDER.exe, 00000001.00000003.644329844.0000000005064000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comnORDER.exe, 00000001.00000003.641080097.000000000507B000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com9ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comgritoORDER.exe, 00000001.00000003.728655998.0000000005060000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com(GORDER.exe, 00000001.00000003.728655998.0000000005060000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.founder.com.cn/cnt-pORDER.exe, 00000001.00000003.644069423.000000000509D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comtalORDER.exe, 00000001.00000003.644669004.000000000509E000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comORDER.exe, 00000001.00000003.641053984.000000000507B000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                      		high
                      http://www.sandoll.co.krORDER.exe, 00000001.00000003.642523808.0000000005069000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comTC3ORDER.exe, 00000001.00000003.644894489.000000000509E000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deDPleaseORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comF(GORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.zhongyicts.com.cnORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersnORDER.exe, 00000001.00000003.649531830.0000000005095000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comnewkORDER.exe, 00000001.00000003.644792909.000000000509E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.comalicLG$ORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.apache.org/licenses/LICENSE-2.0ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                          		high
                          http://www.carterandcone.comexcORDER.exe, 00000001.00000003.644669004.000000000509E000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/ORDER.exe, 00000001.00000003.651124405.000000000506D000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comFORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.kr;D~ORDER.exe, 00000001.00000003.642523808.0000000005069000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.fontbureau.comlicORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sajatypeworks.com-dORDER.exe, 00000001.00000003.641053984.000000000507B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cns-cORDER.exe, 00000001.00000003.644069423.000000000509D000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.644123942.0000000005064000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.644069423.000000000509D000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmlORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000001.00000003.649010830.0000000005099000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comFTdORDER.exe, 00000001.00000003.641383898.000000000507B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comhlyORDER.exe, 00000001.00000003.644669004.000000000509E000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comyORDER.exe, 00000001.00000003.644894489.000000000509E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comuec:G~ORDER.exe, 00000001.00000003.728655998.0000000005060000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comonaORDER.exe, 00000001.00000003.644669004.000000000509E000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers8ORDER.exe, 00000001.00000002.738124687.0000000006272000.00000004.00000001.sdmp, ORDER.exe, 00000010.00000002.816314596.0000000005270000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comn7dcORDER.exe, 00000001.00000003.641327316.000000000507B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comalsadFORDER.exe, 00000001.00000003.649881909.0000000005064000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers:ORDER.exe, 00000001.00000003.648728149.0000000005099000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/ORDER.exe, 00000001.00000003.648432320.0000000005099000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fonts.com8ORDER.exe, 00000001.00000003.641053984.000000000507B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comgneORDER.exe, 00000001.00000003.644792909.000000000509E000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.140.53.135
                                      		kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euSweden
                                      		209623DAVID_CRAIGGGtrue

                                      Private

                                      IP
                                      192.168.2.1

                                      General Information

                                      Joe Sandbox Version:32.0.0 Black Diamond
                                      Analysis ID:433263
                                      Start date:11.06.2021
                                      Start time:14:58:20
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 10m 55s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:ORDER.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:26
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@15/7@16/2
                                      EGA Information:Failed
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 92.122.145.220, 168.61.161.212, 13.64.90.137, 20.82.210.154, 20.54.104.15, 20.54.26.129, 20.54.7.98, 8.241.82.126, 8.238.36.126, 8.238.30.254, 8.238.29.126, 8.238.27.126, 92.122.213.247, 92.122.213.194
                                      • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      14:59:49Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\ORDER.exe" s>$(Arg0)
                                      14:59:49API Interceptor689x Sleep call for process: ORDER.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      185.140.53.135CONTRACT.exeGet hashmaliciousBrowse
                                        Swift.exeGet hashmaliciousBrowse
                                          5U8Z6pqTlhp68RB.exeGet hashmaliciousBrowse
                                            HY_RAY_RFQ,pdf .exeGet hashmaliciousBrowse
                                              Shipping_Documents_INV_PL_and_BL,pdf.exeGet hashmaliciousBrowse
                                                Geno_Quotation,pdf.exeGet hashmaliciousBrowse
                                                  PO20002106.exeGet hashmaliciousBrowse
                                                    SOA_30_11_2020,pdf.exeGet hashmaliciousBrowse
                                                      20201229_QUA_20Y0252,pdf.exeGet hashmaliciousBrowse
                                                        PO029734,pdf.exeGet hashmaliciousBrowse
                                                          VSI_202012223,pdf.exeGet hashmaliciousBrowse
                                                            PO968_8359808,pdf.exeGet hashmaliciousBrowse
                                                              purchase order # 10000000648.pdf.exeGet hashmaliciousBrowse
                                                                Order 20015639 15-10-2020,pdf.exeGet hashmaliciousBrowse
                                                                  shipping documents.docGet hashmaliciousBrowse
                                                                    POEA-MANNING ADVISORY 2020-56.PDF.exeGet hashmaliciousBrowse
                                                                      Doc_1110_090820.exeGet hashmaliciousBrowse
                                                                        Doc0_01210_72820.exeGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euCONTRACT.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.135
                                                                          Swift.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.135
                                                                          5U8Z6pqTlhp68RB.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.135

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          DAVID_CRAIGGGORDER-21611docx.exeGet hashmaliciousBrowse
                                                                          • 185.165.153.116
                                                                          6VYNUalwUt.exeGet hashmaliciousBrowse
                                                                          • 185.244.30.92
                                                                          ORDER-6010.pdf.exeGet hashmaliciousBrowse
                                                                          • 185.244.30.92
                                                                          CONTRACT.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.135
                                                                          doc03027320210521173305IMG0012.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.230
                                                                          yfilQwrYpA.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.216
                                                                          Ff6m4N8pog.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.216
                                                                          yCdBrRiAN2.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.216
                                                                          loKHQzx6Lf.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.216
                                                                          SecuriteInfo.com.Program.Win32.Wacapew.Cml.7225.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.129
                                                                          Shipping Documents_Bill of Lading 910571880.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.129
                                                                          knqh5Hw6gu.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.13
                                                                          Container_Deposit_slip_pdf.jarGet hashmaliciousBrowse
                                                                          • 185.244.30.47
                                                                          Cargo Charter Request details.vbsGet hashmaliciousBrowse
                                                                          • 185.244.30.184
                                                                          Shipping Documents_Bill of Lading 910571880,pdf.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.129
                                                                          WarkZh7G8j6Xo8r.exeGet hashmaliciousBrowse
                                                                          • 91.193.75.66
                                                                          Re R new proforma.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.138
                                                                          PO20880538.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.129
                                                                          QI5MR3pte0.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.40
                                                                          5Em2NXNxSt.exeGet hashmaliciousBrowse
                                                                          • 185.140.53.40

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ORDER.exe.log
                                                                          Process:C:\Users\user\Desktop\ORDER.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):525
                                                                          Entropy (8bit):5.2874233355119316
                                                                          Encrypted:false
                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                          MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                          C:\Users\user\AppData\Local\Temp\tmp6A1C.tmp
                                                                          Process:C:\Users\user\Desktop\ORDER.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1639
                                                                          Entropy (8bit):5.168844125271163
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGHBtn:cbhK79lNQR/rydbz9I3YODOLNdq38
                                                                          MD5:F8CF011BF6E5580EAE43A61562FFE6F0
                                                                          SHA1:595C40DE064CF3E87D5266529C2E0F5A0277F020
                                                                          SHA-256:7EE91880594E206246BE39C4348D060546A40D200AF3213CC7DFBCB9848F84AA
                                                                          SHA-512:72ABBE277F95CB790031FF7639B3123202E312908839ABCE6A2EB957D164D5964C1DE924C7A9DC47F11D03EDBE61E93D7DCD2057CDB02113B783D0240F1BE929
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                          C:\Users\user\AppData\Local\Temp\tmp777A.tmp
                                                                          Process:C:\Users\user\Desktop\ORDER.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1295
                                                                          Entropy (8bit):5.09846064283307
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YVlxtn:cbk4oL600QydbQxIYODOLedq3Hj
                                                                          MD5:8F1E8C51D91DF67169BEE20FF3FFEAF6
                                                                          SHA1:032E2A290F6D69952BB614F1C2CC33B755854FF5
                                                                          SHA-256:DF437CB636EA881017FD876748F164EEA207D89695EB6F6E5A3C9BD1F0215E1C
                                                                          SHA-512:8311E6829EC9343284E7E414FD4B555EDD37681F35ED4440A306093A0D69EE90E7811A8235966A7F8AB055D6718B99A0A99D34BA6F75C7CD0FFEBC988D1D60B0
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Local\Temp\tmpFE00.tmp
                                                                          Process:C:\Users\user\Desktop\ORDER.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1639
                                                                          Entropy (8bit):5.168844125271163
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGHBtn:cbhK79lNQR/rydbz9I3YODOLNdq38
                                                                          MD5:F8CF011BF6E5580EAE43A61562FFE6F0
                                                                          SHA1:595C40DE064CF3E87D5266529C2E0F5A0277F020
                                                                          SHA-256:7EE91880594E206246BE39C4348D060546A40D200AF3213CC7DFBCB9848F84AA
                                                                          SHA-512:72ABBE277F95CB790031FF7639B3123202E312908839ABCE6A2EB957D164D5964C1DE924C7A9DC47F11D03EDBE61E93D7DCD2057CDB02113B783D0240F1BE929
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                          Process:C:\Users\user\Desktop\ORDER.exe
                                                                          File Type:ISO-8859 text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:t9+:P+
                                                                          MD5:9E9C776D1074DFE1E684AAD1D917A727
                                                                          SHA1:D995B8935AAFCA0E412C630EF4FF101C653A3785
                                                                          SHA-256:EE168FBC34E8D827CED4BFCD72848540E46F7F9475BA50D46E7A724BD47E2911
                                                                          SHA-512:7469C097FEDFA9160EC245F31627CB45F6402E3F4C2DDD5CC9C8BA81FCCB6BEEAA7787A493783A59CECE8881A960E47004058349CDDDA90CF3D7263B7DC44E1E
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview: -N`..,.H
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                          Process:C:\Users\user\Desktop\ORDER.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):32
                                                                          Entropy (8bit):3.9496987351738495
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNt+WfWqG3Jn:oNwvqgJ
                                                                          MD5:F2F2E9E658CF35F1C5999C1870420D3C
                                                                          SHA1:42D5DE29AA59D9860FAFD167334DC3BED9586484
                                                                          SHA-256:AEB7B972FF18BCA62298F2BD912F8E8AC68337A714F1E868208AECC480301F99
                                                                          SHA-512:078F5697674727E038177A5A09D2FEDD0AC5474B157C346155F29A8119F49CC49B3C09C861E50404CD3D03031734968A0C796785E0696C5E694433304F15ACA0
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\Desktop\ORDER.exe
                                                                          C:\Users\user\AppData\Roaming\Odstcl.exe
                                                                          Process:C:\Users\user\Desktop\ORDER.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):536064
                                                                          Entropy (8bit):7.699438756547545
                                                                          Encrypted:false
                                                                          SSDEEP:12288:SwbjmMziWZrnoSSmaLBWIRqzPc/yt7ZX9HqUSagcq:q6jd9IcUyt7ZX5DSjc
                                                                          MD5:425F6B1E9437B1F1DB352D1393D236D5
                                                                          SHA1:65CF68FDDA68B0327D51B7E3989AFAA2258D4C6D
                                                                          SHA-256:CFB1E4B65FC8E0D9CA698AB5E67FC77735880B8439A6F4EE4E48BE06CA631DC2
                                                                          SHA-512:EACCC681B25DDD203B0A79ECBFA1E464B129066F7090069BDB7D5F9D4955A57D86F1D76441F2E141BFEA1E249B8A43C8AED527EC18B5238066F75CFDFB794805
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 46%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.............~7... ...@....@.. ....................................@.................................,7..O....@..\....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc.......`.......,..............@..B................`7......H.......@...L.......?....v..............................................^.(........}......}....*.0............t......t......o.....{....o....o......o.....{....o....o......o.....{....o....o.....o.....{....o....o.....(.......{........,....e..+......+...*..0............}.....(.......(......r...p.(....(....o......{.....(....o......{....r...po......{.....(....o......{.....(....o......{.....(....o.....*..0.._........(.........(.....o............,)....t......o....r!..p(......,..o....

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.699438756547545
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:ORDER.exe
                                                                          File size:536064
                                                                          MD5:425f6b1e9437b1f1db352d1393d236d5
                                                                          SHA1:65cf68fdda68b0327d51b7e3989afaa2258d4c6d
                                                                          SHA256:cfb1e4b65fc8e0d9ca698ab5e67fc77735880b8439a6f4ee4e48be06ca631dc2
                                                                          SHA512:eaccc681b25ddd203b0a79ecbfa1e464b129066f7090069bdb7d5f9d4955a57d86f1d76441f2e141bfea1e249b8a43c8aed527ec18b5238066f75cfdfb794805
                                                                          SSDEEP:12288:SwbjmMziWZrnoSSmaLBWIRqzPc/yt7ZX9HqUSagcq:q6jd9IcUyt7ZX5DSjc
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.............~7... ...@....@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:18da1abcb2d2d2b0

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x48377e
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x60C2CD9C [Fri Jun 11 02:42:36 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v2.0.50727
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8372c0x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x105c.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x817840x81800False0.877169929416data7.72970366103IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x840000x105c0x1200False0.270182291667data2.85061195999IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x860000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0x841000x8a8dBase III DBT, version number 0, next free block index 40
                                                                          RT_GROUP_ICON0x849b80x14data
                                                                          RT_VERSION0x849dc0x480data
                                                                          RT_MANIFEST0x84e6c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightDecember 19th, 2006
                                                                          Assembly Version1.0.7.8
                                                                          InternalNameCEXv.exe
                                                                          FileVersion1.0.7.8
                                                                          CompanyNameCoded by James O'Cull
                                                                          LegalTrademarks
                                                                          CommentsContact management is a solution for anyone who needs to be able to access their list of contacts from removable media without any installation.
                                                                          ProductNameContact Management
                                                                          ProductVersion1.0.7.8
                                                                          FileDescriptionContact Management
                                                                          OriginalFilenameCEXv.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jun 11, 2021 14:59:51.648925066 CEST497601187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 14:59:51.700213909 CEST118749760185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 14:59:52.207346916 CEST497601187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 14:59:52.256445885 CEST118749760185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 14:59:52.773591042 CEST497601187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 14:59:52.828273058 CEST118749760185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 14:59:57.839159012 CEST497621187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 14:59:57.888092995 CEST118749762185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 14:59:58.395390034 CEST497621187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 14:59:58.445765018 CEST118749762185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 14:59:58.958120108 CEST497621187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 14:59:59.007491112 CEST118749762185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:03.327218056 CEST497631187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:03.376283884 CEST118749763185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:03.880577087 CEST497631187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:03.929704905 CEST118749763185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:04.442748070 CEST497631187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:04.491942883 CEST118749763185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:08.935708046 CEST497671187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:08.985249996 CEST118749767185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:09.536982059 CEST497671187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:09.586540937 CEST118749767185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:10.099534988 CEST497671187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:10.150204897 CEST118749767185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:14.565951109 CEST497721187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:14.615010023 CEST118749772185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:15.115715981 CEST497721187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:15.166862965 CEST118749772185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:15.678117037 CEST497721187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:15.728826046 CEST118749772185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:20.305769920 CEST497731187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:20.355175972 CEST118749773185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:20.866173983 CEST497731187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:20.915704012 CEST118749773185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:21.428587914 CEST497731187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:21.478018045 CEST118749773185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:25.878092051 CEST497741187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:25.927092075 CEST118749774185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:26.429033995 CEST497741187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:26.478157997 CEST118749774185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:26.991624117 CEST497741187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:27.040839911 CEST118749774185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:31.421698093 CEST497751187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:31.472656012 CEST118749775185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:31.976492882 CEST497751187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:32.026118994 CEST118749775185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:32.538919926 CEST497751187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:32.588376045 CEST118749775185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:37.016067982 CEST497761187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:37.065010071 CEST118749776185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:37.570559025 CEST497761187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:37.621602058 CEST118749776185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:38.133220911 CEST497761187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:38.182405949 CEST118749776185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:42.780148029 CEST497781187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:42.829463959 CEST118749778185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:43.336724997 CEST497781187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:43.386127949 CEST118749778185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:43.899245024 CEST497781187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:43.948367119 CEST118749778185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:48.353594065 CEST497801187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:48.402977943 CEST118749780185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:48.915401936 CEST497801187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:48.964634895 CEST118749780185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:49.477921963 CEST497801187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:49.527160883 CEST118749780185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:53.972299099 CEST497811187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:54.021433115 CEST118749781185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:54.525162935 CEST497811187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:54.574369907 CEST118749781185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:55.087765932 CEST497811187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:55.136708021 CEST118749781185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:00:59.502964020 CEST497821187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:00:59.552524090 CEST118749782185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:00.056865931 CEST497821187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:00.106172085 CEST118749782185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:00.619435072 CEST497821187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:00.668719053 CEST118749782185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:05.271596909 CEST497831187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:05.320935965 CEST118749783185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:05.823019028 CEST497831187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:05.872720957 CEST118749783185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:06.385656118 CEST497831187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:06.435270071 CEST118749783185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:10.790586948 CEST497841187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:10.840133905 CEST118749784185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:11.354733944 CEST497841187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:11.406151056 CEST118749784185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:11.917926073 CEST497841187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:11.967463970 CEST118749784185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:16.041815042 CEST497851187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:16.091456890 CEST118749785185.140.53.135192.168.2.4
                                                                          Jun 11, 2021 15:01:16.605920076 CEST497851187192.168.2.4185.140.53.135
                                                                          Jun 11, 2021 15:01:16.655270100 CEST118749785185.140.53.135192.168.2.4

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jun 11, 2021 14:58:58.107458115 CEST4925753192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:58:58.170233965 CEST53492578.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:58:58.767272949 CEST6238953192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:58:58.827750921 CEST53623898.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:58:59.691839933 CEST4991053192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:58:59.753588915 CEST53499108.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:00.655255079 CEST5585453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:00.709705114 CEST53558548.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:02.119545937 CEST6454953192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:02.169961929 CEST53645498.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:03.784449100 CEST6315353192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:03.834805965 CEST53631538.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:04.723730087 CEST5299153192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:04.774044037 CEST53529918.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:05.801599026 CEST5370053192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:05.851699114 CEST53537008.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:07.170181036 CEST5172653192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:07.222780943 CEST53517268.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:12.706136942 CEST5679453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:12.762201071 CEST53567948.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:15.270526886 CEST5653453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:15.331752062 CEST53565348.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:16.583004951 CEST5662753192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:16.633383989 CEST53566278.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:17.734045982 CEST5662153192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:17.784671068 CEST53566218.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:18.690721989 CEST6311653192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:18.742985010 CEST53631168.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:22.071491957 CEST6407853192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:22.123260021 CEST53640788.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:24.657690048 CEST6480153192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:24.707720041 CEST53648018.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:25.669609070 CEST6172153192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:25.722615004 CEST53617218.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:26.830988884 CEST5125553192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:26.881102085 CEST53512558.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:28.214660883 CEST6152253192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:28.267652988 CEST53615228.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:28.595549107 CEST5233753192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:28.667609930 CEST53523378.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:29.217684031 CEST5504653192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:29.272856951 CEST53550468.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:43.267117977 CEST4961253192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:43.505875111 CEST53496128.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:44.092092037 CEST4928553192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:44.154933929 CEST53492858.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:44.762494087 CEST5060153192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:44.823632002 CEST53506018.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:45.127089977 CEST6087553192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:45.199469090 CEST53608758.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:45.297183990 CEST5644853192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:45.360881090 CEST53564488.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:45.977020979 CEST5917253192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:46.263571978 CEST53591728.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:46.840696096 CEST6242053192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:46.894191980 CEST53624208.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:47.359003067 CEST6057953192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:47.420633078 CEST53605798.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:48.445257902 CEST5018353192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:48.503940105 CEST53501838.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:49.812180042 CEST6153153192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:49.871182919 CEST53615318.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:50.376142979 CEST4922853192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:50.436244011 CEST53492288.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:51.571542978 CEST5979453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:51.638654947 CEST53597948.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:53.300498009 CEST5591653192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:53.353888035 CEST53559168.8.8.8192.168.2.4
                                                                          Jun 11, 2021 14:59:57.756336927 CEST5275253192.168.2.48.8.8.8
                                                                          Jun 11, 2021 14:59:57.837124109 CEST53527528.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:03.267348051 CEST6054253192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:03.325910091 CEST53605428.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:04.686455965 CEST6068953192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:04.744987965 CEST53606898.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:04.745007992 CEST6420653192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:04.808813095 CEST53642068.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:08.865986109 CEST5090453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:08.924860954 CEST53509048.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:10.790437937 CEST5752553192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:10.853650093 CEST53575258.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:14.500823021 CEST5381453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:14.562788010 CEST53538148.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:20.230350971 CEST5341853192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:20.290426970 CEST53534188.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:25.817883968 CEST6283353192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:25.877048016 CEST53628338.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:31.360760927 CEST5926053192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:31.420278072 CEST53592608.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:36.962040901 CEST4994453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:37.014718056 CEST53499448.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:42.075835943 CEST6330053192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:42.125832081 CEST53633008.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:42.678448915 CEST6144953192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:42.740317106 CEST53614498.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:43.567801952 CEST5127553192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:43.629858971 CEST53512758.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:48.290079117 CEST6349253192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:48.351994038 CEST53634928.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:53.909318924 CEST5894553192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:53.970079899 CEST53589458.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:00:59.440179110 CEST6077953192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:00:59.499267101 CEST53607798.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:01:05.206954002 CEST6401453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:01:05.269151926 CEST53640148.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:01:10.730623960 CEST5709153192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:01:10.789726973 CEST53570918.8.8.8192.168.2.4
                                                                          Jun 11, 2021 15:01:15.981034994 CEST5590453192.168.2.48.8.8.8
                                                                          Jun 11, 2021 15:01:16.041094065 CEST53559048.8.8.8192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jun 11, 2021 14:59:51.571542978 CEST192.168.2.48.8.8.80x3080Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 14:59:57.756336927 CEST192.168.2.48.8.8.80xba23Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:03.267348051 CEST192.168.2.48.8.8.80x28d6Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:08.865986109 CEST192.168.2.48.8.8.80x3673Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:14.500823021 CEST192.168.2.48.8.8.80x1d3Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:20.230350971 CEST192.168.2.48.8.8.80xe2ddStandard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:25.817883968 CEST192.168.2.48.8.8.80xf2b8Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:31.360760927 CEST192.168.2.48.8.8.80xfb1fStandard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:36.962040901 CEST192.168.2.48.8.8.80xd864Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:42.678448915 CEST192.168.2.48.8.8.80xb4f7Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:48.290079117 CEST192.168.2.48.8.8.80x8a93Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:53.909318924 CEST192.168.2.48.8.8.80xbb18Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:59.440179110 CEST192.168.2.48.8.8.80x6dbcStandard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:01:05.206954002 CEST192.168.2.48.8.8.80xd178Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:01:10.730623960 CEST192.168.2.48.8.8.80x74e6Standard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:01:15.981034994 CEST192.168.2.48.8.8.80xbc5cStandard query (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.euA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jun 11, 2021 14:59:51.638654947 CEST8.8.8.8192.168.2.40x3080No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 14:59:57.837124109 CEST8.8.8.8192.168.2.40xba23No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:03.325910091 CEST8.8.8.8192.168.2.40x28d6No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:08.924860954 CEST8.8.8.8192.168.2.40x3673No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:14.562788010 CEST8.8.8.8192.168.2.40x1d3No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:20.290426970 CEST8.8.8.8192.168.2.40xe2ddNo error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:25.877048016 CEST8.8.8.8192.168.2.40xf2b8No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:31.420278072 CEST8.8.8.8192.168.2.40xfb1fNo error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:37.014718056 CEST8.8.8.8192.168.2.40xd864No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:42.740317106 CEST8.8.8.8192.168.2.40xb4f7No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:48.351994038 CEST8.8.8.8192.168.2.40x8a93No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:53.970079899 CEST8.8.8.8192.168.2.40xbb18No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:00:59.499267101 CEST8.8.8.8192.168.2.40x6dbcNo error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:01:05.269151926 CEST8.8.8.8192.168.2.40xd178No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:01:10.789726973 CEST8.8.8.8192.168.2.40x74e6No error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)
                                                                          Jun 11, 2021 15:01:16.041094065 CEST8.8.8.8192.168.2.40xbc5cNo error (0)kjjuigfdullygigyftkuyluylygilyfidyyuljhd.ydns.eu185.140.53.135A (IP address)IN (0x0001)

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: ORDER.exe PID: 6952 Parent PID: 5896

                                                                          General

                                                                          Start time:14:59:05
                                                                          Start date:11/06/2021
                                                                          Path:C:\Users\user\Desktop\ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\ORDER.exe'
                                                                          Imagebase:0x470000
                                                                          File size:536064 bytes
                                                                          MD5 hash:425F6B1E9437B1F1DB352D1393D236D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.733532456.0000000003B71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.733930181.0000000003D27000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Analysis Process: schtasks.exe PID: 6920 Parent PID: 6952

                                                                          General

                                                                          Start time:14:59:45
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A1C.tmp'
                                                                          Imagebase:0x340000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 6936 Parent PID: 6920

                                                                          General

                                                                          Start time:14:59:46
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: ORDER.exe PID: 7148 Parent PID: 6952

                                                                          General

                                                                          Start time:14:59:46
                                                                          Start date:11/06/2021
                                                                          Path:C:\Users\user\Desktop\ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0x690000
                                                                          File size:536064 bytes
                                                                          MD5 hash:425F6B1E9437B1F1DB352D1393D236D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.906988359.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.909542100.0000000003D17000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.728181195.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.910722949.0000000005600000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.910722949.0000000005600000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.728520571.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.911027683.00000000059C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: schtasks.exe PID: 4388 Parent PID: 7148

                                                                          General

                                                                          Start time:14:59:48
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp777A.tmp'
                                                                          Imagebase:0x340000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 6840 Parent PID: 4388

                                                                          General

                                                                          Start time:14:59:49
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: ORDER.exe PID: 6044 Parent PID: 968

                                                                          General

                                                                          Start time:14:59:50
                                                                          Start date:11/06/2021
                                                                          Path:C:\Users\user\Desktop\ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\ORDER.exe 0
                                                                          Imagebase:0x590000
                                                                          File size:536064 bytes
                                                                          MD5 hash:425F6B1E9437B1F1DB352D1393D236D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.815063432.0000000003D01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Analysis Process: schtasks.exe PID: 7116 Parent PID: 6044

                                                                          General

                                                                          Start time:15:00:23
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\Odstcl' /XML 'C:\Users\user\AppData\Local\Temp\tmpFE00.tmp'
                                                                          Imagebase:0x340000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 4552 Parent PID: 7116

                                                                          General

                                                                          Start time:15:00:24
                                                                          Start date:11/06/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: ORDER.exe PID: 4480 Parent PID: 6044

                                                                          General

                                                                          Start time:15:00:24
                                                                          Start date:11/06/2021
                                                                          Path:C:\Users\user\Desktop\ORDER.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0x550000
                                                                          File size:536064 bytes
                                                                          MD5 hash:425F6B1E9437B1F1DB352D1393D236D5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000000.809591547.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000000.810011437.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.824635528.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.826135770.0000000002B71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.826223724.0000000003B71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >