Loading ...

Play interactive tourEdit tour

Analysis Report invoice & packing.pdf.exe

Overview

General Information

Sample Name:invoice & packing.pdf.exe
Analysis ID:320240
MD5:ac3668260346d59f25905579aa8eaf94
SHA1:479c7e0b3696f174e13d59ae04353205b9a3203d
SHA256:3f746fa6f84b842f03679244794c7f16f4497fb2fb8eb770539a7bbd3110e9e9
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AntiVM_3
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoice & packing.pdf.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' MD5: AC3668260346D59F25905579AA8EAF94)
    • schtasks.exe (PID: 1560 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • invoice & packing.pdf.exe (PID: 4624 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)
    • invoice & packing.pdf.exe (PID: 4668 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)
    • invoice & packing.pdf.exe (PID: 4696 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)
    • invoice & packing.pdf.exe (PID: 6040 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x10d64d:$x1: NanoCore.ClientPluginHost
  • 0x13fe6d:$x1: NanoCore.ClientPluginHost
  • 0x10d68a:$x2: IClientNetworkHost
  • 0x13feaa:$x2: IClientNetworkHost
  • 0x1111bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x1439dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10d3b5:$a: NanoCore
    • 0x10d3c5:$a: NanoCore
    • 0x10d5f9:$a: NanoCore
    • 0x10d60d:$a: NanoCore
    • 0x10d64d:$a: NanoCore
    • 0x13fbd5:$a: NanoCore
    • 0x13fbe5:$a: NanoCore
    • 0x13fe19:$a: NanoCore
    • 0x13fe2d:$a: NanoCore
    • 0x13fe6d:$a: NanoCore
    • 0x10d414:$b: ClientPlugin
    • 0x10d616:$b: ClientPlugin
    • 0x10d656:$b: ClientPlugin
    • 0x13fc34:$b: ClientPlugin
    • 0x13fe36:$b: ClientPlugin
    • 0x13fe76:$b: ClientPlugin
    • 0x10d53b:$c: ProjectData
    • 0x13fd5b:$c: ProjectData
    • 0x10df42:$d: DESCrypto
    • 0x140762:$d: DESCrypto
    • 0x11590e:$e: KeepAlive
    00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x13c2:$a: NanoCore
      • 0x13e7:$a: NanoCore
      • 0x1440:$a: NanoCore
      • 0x115dd:$a: NanoCore
      • 0x11603:$a: NanoCore
      • 0x1165f:$a: NanoCore
      • 0x1e4b4:$a: NanoCore
      • 0x1e50d:$a: NanoCore
      • 0x1e540:$a: NanoCore
      • 0x1e76c:$a: NanoCore
      • 0x1e7e8:$a: NanoCore
      • 0x1ee01:$a: NanoCore
      • 0x1ef4a:$a: NanoCore
      • 0x1f41e:$a: NanoCore
      • 0x1f705:$a: NanoCore
      • 0x1f71c:$a: NanoCore
      • 0x24cba:$a: NanoCore
      • 0x24d34:$a: NanoCore
      • 0x298d1:$a: NanoCore
      • 0x2ac8b:$a: NanoCore
      • 0x2acd5:$a: NanoCore
      Click to see the 3 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\invoice & packing.pdf.exe, ProcessId: 6040, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentProcessId: 7160, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', ProcessId: 1560
      Sigma detected: Suspicious Double ExtensionShow sources
      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\invoice & packing.pdf.exe, CommandLine: C:\Users\user\Desktop\invoice & packing.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\invoice & packing.pdf.exe, NewProcessName: C:\Users\user\Desktop\invoice & packing.pdf.exe, OriginalFileName: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentProcessId: 7160, ProcessCommandLine: C:\Users\user\Desktop\invoice & packing.pdf.exe, ProcessId: 4624

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: invoice & packing.pdf.exeJoe Sandbox ML: detected
      Source: invoice & packing.pdf.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0562997F
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05629990
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0562997F
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05629990
      Source: global trafficTCP traffic: 192.168.2.6:49727 -> 23.105.131.164:5050
      Source: global trafficTCP traffic: 192.168.2.6:49727 -> 23.105.131.164:5050
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: invoice & packing.pdf.exe, 00000000.00000002.346838980.0000000000E08000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: invoice & packing.pdf.exe, 00000000.00000002.346838980.0000000000E08000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: invoice & packing.pdf.exe
      Source: initial sampleStatic PE information: Filename: invoice & packing.pdf.exe
      Source: initial sampleStatic PE information: Filename: invoice & packing.pdf.exe
      Source: initial sampleStatic PE information: Filename: invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A13B6 NtQuerySystemInformation,0_2_055A13B6
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A1389 NtQuerySystemInformation,0_2_055A1389
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A13B6 NtQuerySystemInformation,0_2_055A13B6
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A1389 NtQuerySystemInformation,0_2_055A1389
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC1DC80_2_04FC1DC8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC27BC0_2_04FC27BC
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC22700_2_04FC2270
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC0BA00_2_04FC0BA0
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC1DB70_2_04FC1DB7
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC36AC0_2_04FC36AC
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC98D80_2_04FC98D8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC77F10_2_04FC77F1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC98D80_2_04FC98D8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC39580_2_04FC3958
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC39450_2_04FC3945
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC22610_2_04FC2261
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FCABFE0_2_04FCABFE
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC0B900_2_04FC0B90
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FCEB300_2_04FCEB30
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_05625D970_2_05625D97
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_0562006B0_2_0562006B
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_056200700_2_05620070
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_0562535B0_2_0562535B
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC1DC80_2_04FC1DC8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC27BC0_2_04FC27BC
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC22700_2_04FC2270
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC0BA00_2_04FC0BA0
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC1DB70_2_04FC1DB7
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC36AC0_2_04FC36AC
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC98D80_2_04FC98D8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC77F10_2_04FC77F1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC98D80_2_04FC98D8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC39580_2_04FC3958
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC39450_2_04FC3945
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC22610_2_04FC2261
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FCABFE0_2_04FCABFE
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC0B900_2_04FC0B90
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FCEB300_2_04FCEB30
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_05625D970_2_05625D97
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_0562006B0_2_0562006B
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_056200700_2_05620070
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_0562535B0_2_0562535B
      Source: invoice & packing.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: NKzWuwUvFAvUo.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: invoice & packing.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: NKzWuwUvFAvUo.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000000.335994926.0000000000792000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.348759292.0000000004038000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351576272.0000000005C40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000003.00000000.342276749.0000000000372000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000004.00000002.343495493.00000000003D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000005.00000002.344572269.0000000000022000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000000.345263115.0000000000A32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000000.335994926.0000000000792000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.348759292.0000000004038000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351576272.0000000005C40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000003.00000000.342276749.0000000000372000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000004.00000002.343495493.00000000003D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000005.00000002.344572269.0000000000022000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000000.345263115.0000000000A32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: invoice & packing.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: NKzWuwUvFAvUo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: invoice & packing.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: NKzWuwUvFAvUo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.evad.winEXE@12/8@0/1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A0FA2 AdjustTokenPrivileges,0_2_055A0FA2
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A0F6B AdjustTokenPrivileges,0_2_055A0F6B
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A0FA2 AdjustTokenPrivileges,0_2_055A0FA2
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A0F6B AdjustTokenPrivileges,0_2_055A0F6B
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{29d2abae-978d-4a2e-8d75-4eb1cf1bd386}
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\iJAEmKSWJugTtVGt
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_01
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{29d2abae-978d-4a2e-8d75-4eb1cf1bd386}
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\iJAEmKSWJugTtVGt
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_01
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEBB4.tmpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEBB4.tmpJump to behavior
      Source: invoice & packing.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: invoice & packing.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile read: C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile read: C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe 'C:\Users\user\Desktop\invoice & packing.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe 'C:\Users\user\Desktop\invoice & packing.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: invoice & packing.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: invoice & packing.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: invoice & packing.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: invoice & packing.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_01007751 push eax; ret 0_2_010077A1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_010077A5 push eax; ret 0_2_010077BD
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_010077BF pushad ; ret 0_2_010077D1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_056295A8 pushfd ; ret 0_2_056295A9
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_01007751 push eax; ret 0_2_010077A1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_010077A5 push eax; ret 0_2_010077BD
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_010077BF pushad ; ret 0_2_010077D1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_056295A8 pushfd ; ret 0_2_056295A9
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83069798608
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83069798608
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83069798608
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83069798608
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Users\user\Desktop\invoice & packing.pdf.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Users\user\Desktop\invoice & packing.pdf.exe:Zone.Identifier read attributes | deleteJump to behavior
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: invoice & packing.pdf.exe
      Source: Possible double extension: pdf.exeStatic PE information: invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX