Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report invoice & packing.pdf.exe

Overview

General Information

Sample Name:invoice & packing.pdf.exe
Analysis ID:320240
MD5:ac3668260346d59f25905579aa8eaf94
SHA1:479c7e0b3696f174e13d59ae04353205b9a3203d
SHA256:3f746fa6f84b842f03679244794c7f16f4497fb2fb8eb770539a7bbd3110e9e9
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AntiVM_3
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoice & packing.pdf.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' MD5: AC3668260346D59F25905579AA8EAF94)
    • schtasks.exe (PID: 1560 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • invoice & packing.pdf.exe (PID: 4624 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)
    • invoice & packing.pdf.exe (PID: 4668 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)
    • invoice & packing.pdf.exe (PID: 4696 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)
    • invoice & packing.pdf.exe (PID: 6040 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x10d64d:$x1: NanoCore.ClientPluginHost
  • 0x13fe6d:$x1: NanoCore.ClientPluginHost
  • 0x10d68a:$x2: IClientNetworkHost
  • 0x13feaa:$x2: IClientNetworkHost
  • 0x1111bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x1439dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10d3b5:$a: NanoCore
    • 0x10d3c5:$a: NanoCore
    • 0x10d5f9:$a: NanoCore
    • 0x10d60d:$a: NanoCore
    • 0x10d64d:$a: NanoCore
    • 0x13fbd5:$a: NanoCore
    • 0x13fbe5:$a: NanoCore
    • 0x13fe19:$a: NanoCore
    • 0x13fe2d:$a: NanoCore
    • 0x13fe6d:$a: NanoCore
    • 0x10d414:$b: ClientPlugin
    • 0x10d616:$b: ClientPlugin
    • 0x10d656:$b: ClientPlugin
    • 0x13fc34:$b: ClientPlugin
    • 0x13fe36:$b: ClientPlugin
    • 0x13fe76:$b: ClientPlugin
    • 0x10d53b:$c: ProjectData
    • 0x13fd5b:$c: ProjectData
    • 0x10df42:$d: DESCrypto
    • 0x140762:$d: DESCrypto
    • 0x11590e:$e: KeepAlive
    00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x13c2:$a: NanoCore
      • 0x13e7:$a: NanoCore
      • 0x1440:$a: NanoCore
      • 0x115dd:$a: NanoCore
      • 0x11603:$a: NanoCore
      • 0x1165f:$a: NanoCore
      • 0x1e4b4:$a: NanoCore
      • 0x1e50d:$a: NanoCore
      • 0x1e540:$a: NanoCore
      • 0x1e76c:$a: NanoCore
      • 0x1e7e8:$a: NanoCore
      • 0x1ee01:$a: NanoCore
      • 0x1ef4a:$a: NanoCore
      • 0x1f41e:$a: NanoCore
      • 0x1f705:$a: NanoCore
      • 0x1f71c:$a: NanoCore
      • 0x24cba:$a: NanoCore
      • 0x24d34:$a: NanoCore
      • 0x298d1:$a: NanoCore
      • 0x2ac8b:$a: NanoCore
      • 0x2acd5:$a: NanoCore
      Click to see the 3 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\invoice & packing.pdf.exe, ProcessId: 6040, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentProcessId: 7160, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', ProcessId: 1560
      Sigma detected: Suspicious Double ExtensionShow sources
      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\invoice & packing.pdf.exe, CommandLine: C:\Users\user\Desktop\invoice & packing.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\invoice & packing.pdf.exe, NewProcessName: C:\Users\user\Desktop\invoice & packing.pdf.exe, OriginalFileName: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentProcessId: 7160, ProcessCommandLine: C:\Users\user\Desktop\invoice & packing.pdf.exe, ProcessId: 4624

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: invoice & packing.pdf.exeJoe Sandbox ML: detected
      Source: invoice & packing.pdf.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: global trafficTCP traffic: 192.168.2.6:49727 -> 23.105.131.164:5050
      Source: global trafficTCP traffic: 192.168.2.6:49727 -> 23.105.131.164:5050
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.164
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: invoice & packing.pdf.exe, 00000000.00000002.346838980.0000000000E08000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: invoice & packing.pdf.exe, 00000000.00000002.346838980.0000000000E08000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: invoice & packing.pdf.exe
      Source: initial sampleStatic PE information: Filename: invoice & packing.pdf.exe
      Source: initial sampleStatic PE information: Filename: invoice & packing.pdf.exe
      Source: initial sampleStatic PE information: Filename: invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A13B6 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A1389 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A13B6 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A1389 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC1DC8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC27BC
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC2270
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC0BA0
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC1DB7
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC36AC
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC98D8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC77F1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC98D8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC3958
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC3945
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC2261
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FCABFE
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC0B90
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FCEB30
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_05625D97
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_0562006B
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_05620070
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_0562535B
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC1DC8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC27BC
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC2270
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC0BA0
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC1DB7
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC36AC
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC98D8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC77F1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC98D8
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC3958
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC3945
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC2261
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FCABFE
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FC0B90
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_04FCEB30
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_05625D97
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_0562006B
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_05620070
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_0562535B
      Source: invoice & packing.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: NKzWuwUvFAvUo.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: invoice & packing.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: NKzWuwUvFAvUo.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000000.335994926.0000000000792000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.348759292.0000000004038000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351576272.0000000005C40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000003.00000000.342276749.0000000000372000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000004.00000002.343495493.00000000003D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000005.00000002.344572269.0000000000022000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000000.345263115.0000000000A32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000000.335994926.0000000000792000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.348759292.0000000004038000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000000.00000002.351576272.0000000005C40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000003.00000000.342276749.0000000000372000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000004.00000002.343495493.00000000003D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilename vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000005.00000002.344572269.0000000000022000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000000.345263115.0000000000A32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs invoice & packing.pdf.exe
      Source: invoice & packing.pdf.exeBinary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: invoice & packing.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: NKzWuwUvFAvUo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: invoice & packing.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: NKzWuwUvFAvUo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.evad.winEXE@12/8@0/1
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A0FA2 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A0F6B AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A0FA2 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_055A0F6B AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{29d2abae-978d-4a2e-8d75-4eb1cf1bd386}
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\iJAEmKSWJugTtVGt
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_01
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{29d2abae-978d-4a2e-8d75-4eb1cf1bd386}
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\iJAEmKSWJugTtVGt
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_01
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEBB4.tmpJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEBB4.tmpJump to behavior
      Source: invoice & packing.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: invoice & packing.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile read: C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile read: C:\Users\user\Desktop\invoice & packing.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe 'C:\Users\user\Desktop\invoice & packing.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe 'C:\Users\user\Desktop\invoice & packing.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: unknownProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: invoice & packing.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: invoice & packing.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: invoice & packing.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: invoice & packing.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_01007751 push eax; ret
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_010077A5 push eax; ret
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_010077BF pushad ; ret
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_056295A8 pushfd ; ret
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_01007751 push eax; ret
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_010077A5 push eax; ret
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_010077BF pushad ; ret
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_056295A8 pushfd ; ret
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83069798608
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83069798608
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83069798608
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83069798608
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Users\user\Desktop\invoice & packing.pdf.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened: C:\Users\user\Desktop\invoice & packing.pdf.exe:Zone.Identifier read attributes | delete
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: invoice & packing.pdf.exe
      Source: Possible double extension: pdf.exeStatic PE information: invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.348133021.0000000002ED7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: invoice & packing.pdf.exe PID: 7160, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWindow / User API: threadDelayed 1093
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWindow / User API: foregroundWindowGot 674
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWindow / User API: foregroundWindowGot 704
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWindow / User API: threadDelayed 1093
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWindow / User API: foregroundWindowGot 674
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWindow / User API: foregroundWindowGot 704
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 7164Thread sleep time: -53140s >= -30000s
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 724Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 4540Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 4584Thread sleep time: -340000s >= -30000s
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 7164Thread sleep time: -53140s >= -30000s
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 724Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 4540Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 4584Thread sleep time: -340000s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
      Source: invoice & packing.pdf.exe, 00000000.00000002.346900929.0000000000E68000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
      Source: invoice & packing.pdf.exe, 00000000.00000002.346900929.0000000000E68000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMemory written: C:\Users\user\Desktop\invoice & packing.pdf.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeMemory written: C:\Users\user\Desktop\invoice & packing.pdf.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeProcess created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_00DFB0BE GetUserNameW,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeCode function: 0_2_00DFB0BE GetUserNameW,
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\invoice & packing.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Masquerading11Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection111Virtualization/Sandbox Evasion3LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection111LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information13DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery2Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      invoice & packing.pdf.exe8%ReversingLabs
      invoice & packing.pdf.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe8%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      23.105.131.164
      		unknownUnited States
      		396362LEASEWEB-USA-NYC-11USfalse

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:320240
      Start date:19.11.2020
      Start time:07:46:27
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 10m 12s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:invoice & packing.pdf.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:23
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@12/8@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 1.2% (good quality ratio 0.8%)
      • Quality average: 44.3%
      • Quality standard deviation: 33.7%
      HCA Information:
      • Successful, ratio: 98%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • TCP Packets have been reduced to 100
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      07:47:23API Interceptor966x Sleep call for process: invoice & packing.pdf.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      LEASEWEB-USA-NYC-11USNXKfWP9SPF0XHRu.exeGet hashmaliciousBrowse
      • 23.105.131.214
      DOC.exeGet hashmaliciousBrowse
      • 23.105.131.162
      Shipping_Details.exeGet hashmaliciousBrowse
      • 23.105.131.165
      2AyWKsCvVF.exeGet hashmaliciousBrowse
      • 192.253.246.143
      tn9jVPvlMSqAUX5.exeGet hashmaliciousBrowse
      • 23.105.131.229
      HLiw2LPA8i.rtfGet hashmaliciousBrowse
      • 192.253.246.143
      TDToxqrclL.exeGet hashmaliciousBrowse
      • 23.105.131.177
      Ziiq5tI3CT.exeGet hashmaliciousBrowse
      • 23.105.131.239
      f3wo2FuLN6.exeGet hashmaliciousBrowse
      • 192.253.246.143
      ORDER INQUIRY.pdf.exeGet hashmaliciousBrowse
      • 23.105.131.177
      Purchase Order 4500033557.pdf.exeGet hashmaliciousBrowse
      • 23.105.131.177
      SecuriteInfo.com.Trojan.DownLoader35.34609.25775.exeGet hashmaliciousBrowse
      • 192.253.246.138
      Proof_of_payment.xlsmGet hashmaliciousBrowse
      • 23.105.131.217
      invoice tax.xlsmGet hashmaliciousBrowse
      • 23.105.131.217
      SHIPPING DOCUMENTS.pdf.exeGet hashmaliciousBrowse
      • 23.105.131.177
      Payment_Order_20201111.xlsxGet hashmaliciousBrowse
      • 192.253.246.138
      TLpMnhJmg7.exeGet hashmaliciousBrowse
      • 192.253.246.143
      HDyADDoI3I.exeGet hashmaliciousBrowse
      • 192.253.246.143
      11.exeGet hashmaliciousBrowse
      • 173.234.155.145
      53C29QAJnd.exeGet hashmaliciousBrowse
      • 173.234.155.145

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\invoice & packing.pdf.exe.log
      Process:C:\Users\user\Desktop\invoice & packing.pdf.exe
      File Type:ASCII text, with CRLF line terminators
      Category:modified
      Size (bytes):664
      Entropy (8bit):5.288448637977022
      Encrypted:false
      SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
      MD5:B1DB55991C3DA14E35249AEA1BC357CA
      SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
      SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
      SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
      Malicious:true
      Reputation:moderate, very likely benign file
      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
      C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp
      Process:C:\Users\user\Desktop\invoice & packing.pdf.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1658
      Entropy (8bit):5.169644445225677
      Encrypted:false
      SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3aItn:cbha7JlNQV/rydbz9I3YODOLNdq39
      MD5:8C54517939B406C8DAE32AD5439E85E4
      SHA1:F9C0D812F35D6498238989DFD5BF7469059632F8
      SHA-256:3B9BA204CF8DC26B7BE6F46EEDCDCA0D9DF4E156B4A57DB3647D998528CB871E
      SHA-512:795C7DE27586546AF789B9FFD53F891E70586DE2A5DCAE66328A8A6185739F69CC2C5B9BAC7AA0D8823160BCF2572ADC9AA548E7D9415A44EE33BF3C91EBE995
      Malicious:true
      Reputation:low
      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
      Process:C:\Users\user\Desktop\invoice & packing.pdf.exe
      File Type:data
      Category:dropped
      Size (bytes):232
      Entropy (8bit):7.024371743172393
      Encrypted:false
      SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
      MD5:32D0AAE13696FF7F8AF33B2D22451028
      SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
      SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
      SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Process:C:\Users\user\Desktop\invoice & packing.pdf.exe
      File Type:data
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:UHh:m
      MD5:8F8822F0459769C3D4C8BBD6B94685D1
      SHA1:4403B5ABEB290502AA1CD8A297D7A22AEEFC618C
      SHA-256:9380CC30AE6D7AE544EEFBDD8929DD26AF5BB425CAA97E7688C313F069098687
      SHA-512:5305B6872A18CF0EC3350E702D14AF9C9D908CBCD57F9274AD0D08A5514AE08DE21DCFD61EEF854AEB494E579B40D4892EB09B2DDF3500196DA8284DD983DA69
      Malicious:true
      Reputation:low
      Preview: ..*k...H
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
      Process:C:\Users\user\Desktop\invoice & packing.pdf.exe
      File Type:data
      Category:dropped
      Size (bytes):40
      Entropy (8bit):5.221928094887364
      Encrypted:false
      SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
      MD5:AE0F5E6CE7122AF264EC533C6B15A27B
      SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
      SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
      SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
      Process:C:\Users\user\Desktop\invoice & packing.pdf.exe
      File Type:data
      Category:dropped
      Size (bytes):426840
      Entropy (8bit):7.999608491116724
      Encrypted:true
      SSDEEP:12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
      MD5:963D5E2C9C0008DFF05518B47C367A7F
      SHA1:C183D601FABBC9AC8FBFA0A0937DECC677535E74
      SHA-256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
      SHA-512:0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
      C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe
      Process:C:\Users\user\Desktop\invoice & packing.pdf.exe
      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):590336
      Entropy (8bit):7.810863680136923
      Encrypted:false
      SSDEEP:12288:h5k/J+UIdk23WCfofAeGD2TmPsaMj7Yx960yBHXoauQ2YwhOTHo:hfUIdkSWCQfAebiPZY7Ye9ZXzKD8
      MD5:AC3668260346D59F25905579AA8EAF94
      SHA1:479C7E0B3696F174E13D59AE04353205B9A3203D
      SHA-256:3F746FA6F84B842F03679244794C7F16F4497FB2FB8EB770539A7BBD3110E9E9
      SHA-512:1F7B0571BDD36F119EE7CC7A2D578C337E6BB9D092EA29E15C4C10A49BB6A0C95BEDBACF4F460815307585ECA9D02F249D9738B645F5BA8CBC4A9F502C7A8B55
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: ReversingLabs, Detection: 8%
      Reputation:low
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............P......D......".... ........@.. .......................`............@.....................................O.......pA...................@....................................................... ............... ..H............text...(.... ...................... ..`.rsrc...pA.......B..................@..@.reloc.......@......................@..B........................H......................x{..X_...........................................0............(....(..........(.....o.....*.....................(.......( ......(!......("......(#....*N..(....oD...($....*&..(%....*.s&........s'........s(........s)........s*........*....0...........~....o+....+..*.0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+..*.0......
      C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe:Zone.Identifier
      Process:C:\Users\user\Desktop\invoice & packing.pdf.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Preview: [ZoneTransfer]....ZoneId=0

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.810863680136923
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      • Win32 Executable (generic) a (10002005/4) 49.75%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Windows Screen Saver (13104/52) 0.07%
      • Generic Win/DOS Executable (2004/3) 0.01%
      File name:invoice & packing.pdf.exe
      File size:590336
      MD5:ac3668260346d59f25905579aa8eaf94
      SHA1:479c7e0b3696f174e13d59ae04353205b9a3203d
      SHA256:3f746fa6f84b842f03679244794c7f16f4497fb2fb8eb770539a7bbd3110e9e9
      SHA512:1f7b0571bdd36f119ee7cc7a2d578c337e6bb9d092ea29e15c4c10a49bb6a0c95bedbacf4f460815307585eca9d02f249d9738b645f5ba8cbc4a9f502c7a8b55
      SSDEEP:12288:h5k/J+UIdk23WCfofAeGD2TmPsaMj7Yx960yBHXoauQ2YwhOTHo:hfUIdkSWCQfAebiPZY7Ye9ZXzKD8
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P......D......".... ........@.. .......................`............@................................

      File Icon

      Icon Hash:f8c492aaaa92dcfe

      Static PE Info

      General

      Entrypoint:0x48db22
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5FB5CEE5 [Thu Nov 19 01:48:21 2020 UTC]
      TLS Callbacks:
      CLR (.Net) Version:v2.0.50727
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x8dad00x4f.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x4170.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x8bb280x8bc00False0.877744507491data7.83069798608IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rsrc0x8e0000x41700x4200False0.503255208333data5.47730162147IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x940000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x8e1900x468GLS_BINARY_LSB_FIRST
      RT_ICON0x8e5f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4275388049, next used block 4258479509
      RT_ICON0x8f6a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3771611807, next used block 3167566498
      RT_GROUP_ICON0x91c480x30data
      RT_VERSION0x91c780x30cdata
      RT_MANIFEST0x91f840x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Version Infos

      DescriptionData
      Translation0x0000 0x04b0
      LegalCopyrightCopyright 2014
      Assembly Version1.0.0.0
      InternalNamegSqi.exe
      FileVersion1.0.0.0
      CompanyName
      LegalTrademarks
      Comments
      ProductNameBlackjack
      ProductVersion1.0.0.0
      FileDescriptionBlackjack
      OriginalFilenamegSqi.exe

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Nov 19, 2020 07:47:30.474591970 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:30.792576075 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:30.792745113 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:30.823401928 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:31.155839920 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:31.167666912 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:31.486973047 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:31.489686012 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:31.849564075 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:31.849776030 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.215687990 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.234042883 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.240955114 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.241173983 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.246521950 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.252232075 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.252499104 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.260375977 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.265594006 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.265743971 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.270591974 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.274962902 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.275067091 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.283077002 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.289684057 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.289827108 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.577071905 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.581955910 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.582199097 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.586194992 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.591187954 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.591351032 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.598623991 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.602005005 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.602191925 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.605751038 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.612010956 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.612185955 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.618050098 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.623076916 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.623183966 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.627986908 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.633099079 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.633234024 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.637991905 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.642129898 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.642303944 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.646337032 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.658047915 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.658168077 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.658176899 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.660998106 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.661154032 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.664242983 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.670133114 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.670347929 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.903955936 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.908914089 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.909184933 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.915057898 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.918975115 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.919220924 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.925088882 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.930382013 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.930627108 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.936024904 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.941917896 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.942300081 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.947257042 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.952514887 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.952651978 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.956017971 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.960462093 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.960736036 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.964013100 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.970436096 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.970541000 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.974679947 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.977952957 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.978094101 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.981884003 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.985008955 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.985115051 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.987893105 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.990993977 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.991130114 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.992677927 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.996151924 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:32.996345997 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:32.999043941 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:33.002943993 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:33.003117085 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:33.005810976 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:33.009715080 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:33.009891033 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:33.013971090 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:33.017862082 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:33.018131971 CET497275050192.168.2.623.105.131.164
      Nov 19, 2020 07:47:33.021931887 CET50504972723.105.131.164192.168.2.6
      Nov 19, 2020 07:47:33.025867939 CET50504972723.105.131.164192.168.2.6

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: invoice & packing.pdf.exe PID: 7160 Parent PID: 5952

      General

      Start time:07:47:22
      Start date:19/11/2020
      Path:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\invoice & packing.pdf.exe'
      Imagebase:0x790000
      File size:590336 bytes
      MD5 hash:AC3668260346D59F25905579AA8EAF94
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.348133021.0000000002ED7000.00000004.00000001.sdmp, Author: Joe Security
      Reputation:low

      Analysis Process: schtasks.exe PID: 1560 Parent PID: 7160

      General

      Start time:07:47:24
      Start date:19/11/2020
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
      Imagebase:0xa70000
      File size:185856 bytes
      MD5 hash:15FF7D8324231381BAD48A052F85DF04
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: conhost.exe PID: 1420 Parent PID: 1560

      General

      Start time:07:47:25
      Start date:19/11/2020
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff61de10000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: invoice & packing.pdf.exe PID: 4624 Parent PID: 7160

      General

      Start time:07:47:25
      Start date:19/11/2020
      Path:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Imagebase:0x370000
      File size:590336 bytes
      MD5 hash:AC3668260346D59F25905579AA8EAF94
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: invoice & packing.pdf.exe PID: 4668 Parent PID: 7160

      General

      Start time:07:47:25
      Start date:19/11/2020
      Path:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Imagebase:0x3d0000
      File size:590336 bytes
      MD5 hash:AC3668260346D59F25905579AA8EAF94
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: invoice & packing.pdf.exe PID: 4696 Parent PID: 7160

      General

      Start time:07:47:26
      Start date:19/11/2020
      Path:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Imagebase:0x20000
      File size:590336 bytes
      MD5 hash:AC3668260346D59F25905579AA8EAF94
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: invoice & packing.pdf.exe PID: 6040 Parent PID: 7160

      General

      Start time:07:47:26
      Start date:19/11/2020
      Path:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\invoice & packing.pdf.exe
      Imagebase:0xa30000
      File size:590336 bytes
      MD5 hash:AC3668260346D59F25905579AA8EAF94
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >