Loading ...

Play interactive tourEdit tour

Analysis Report invoicePDF.exe

Overview

General Information

Sample Name:invoicePDF.exe
Analysis ID:320280
MD5:71fbb96e66805ffc1f477b3cd89e1a99
SHA1:deb4d9f604ac1502bc5cd601753e8b588a0eba0b
SHA256:78323d67f56b427a363820b094a4081e652b7e740c75e715fa96fb7ccf96795f
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoicePDF.exe (PID: 5548 cmdline: 'C:\Users\user\Desktop\invoicePDF.exe' MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
    • schtasks.exe (PID: 4392 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • invoicePDF.exe (PID: 4532 cmdline: {path} MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
    • invoicePDF.exe (PID: 3440 cmdline: {path} MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1da8ad:$x1: NanoCore.ClientPluginHost
  • 0x2844ed:$x1: NanoCore.ClientPluginHost
  • 0x1da8ea:$x2: IClientNetworkHost
  • 0x28452a:$x2: IClientNetworkHost
  • 0x1de41d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x28805d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1da615:$a: NanoCore
    • 0x1da625:$a: NanoCore
    • 0x1da859:$a: NanoCore
    • 0x1da86d:$a: NanoCore
    • 0x1da8ad:$a: NanoCore
    • 0x284255:$a: NanoCore
    • 0x284265:$a: NanoCore
    • 0x284499:$a: NanoCore
    • 0x2844ad:$a: NanoCore
    • 0x2844ed:$a: NanoCore
    • 0x1da674:$b: ClientPlugin
    • 0x1da876:$b: ClientPlugin
    • 0x1da8b6:$b: ClientPlugin
    • 0x2842b4:$b: ClientPlugin
    • 0x2844b6:$b: ClientPlugin
    • 0x2844f6:$b: ClientPlugin
    • 0x12f462:$c: ProjectData
    • 0x1da79b:$c: ProjectData
    • 0x2843db:$c: ProjectData
    • 0x13017b:$d: DESCrypto
    • 0x1db1a2:$d: DESCrypto
    00000000.00000002.252586380.0000000003122000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: invoicePDF.exe PID: 5548JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\invoicePDF.exe, ProcessId: 3440, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoicePDF.exe' , ParentImage: C:\Users\user\Desktop\invoicePDF.exe, ParentProcessId: 5548, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', ProcessId: 4392

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORY
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: invoicePDF.exeJoe Sandbox ML: detected
        Source: invoicePDF.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 4x nop then jmp 0A8E2573h0_2_0A8E181A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 4x nop then jmp 0A8E2573h0_2_0A8E181A

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: global trafficTCP traffic: 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: global trafficTCP traffic: 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: Joe Sandbox ViewIP Address: 23.105.131.177 23.105.131.177
        Source: Joe Sandbox ViewIP Address: 23.105.131.177 23.105.131.177
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: invoicePDF.exe, 00000000.00000003.239254455.000000000776D000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: invoicePDF.exe, 00000000.00000003.238816781.0000000007769000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma7
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomma
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: invoicePDF.exe, 00000000.00000003.233861149.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
        Source: invoicePDF.exe, 00000000.00000003.235909054.000000000776B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-u
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/h
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm=o
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-i
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comu=
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr$
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krV
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmp, invoicePDF.exe, 00000000.00000003.233995308.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: invoicePDF.exe, 00000000.00000003.234026172.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcom
        Source: invoicePDF.exe, 00000000.00000003.234011048.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: invoicePDF.exe, 00000000.00000003.239254455.000000000776D000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: invoicePDF.exe, 00000000.00000003.238816781.0000000007769000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma7
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomma
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: invoicePDF.exe, 00000000.00000003.233861149.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
        Source: invoicePDF.exe, 00000000.00000003.235909054.000000000776B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-u
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/h
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm=o
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-i
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comu=
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr$
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krV
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmp, invoicePDF.exe, 00000000.00000003.233995308.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: invoicePDF.exe, 00000000.00000003.234026172.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcom
        Source: invoicePDF.exe, 00000000.00000003.234011048.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: invoicePDF.exeStatic file information: Suspicious name
        Source: invoicePDF.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: invoicePDF.exe
        Source: initial sampleStatic PE information: Filename: invoicePDF.exe
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731D12 NtQuerySystemInformation,0_2_07731D12
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731CD8 NtQuerySystemInformation,0_2_07731CD8
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731D12 NtQuerySystemInformation,0_2_07731D12
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731CD8 NtQuerySystemInformation,0_2_07731CD8
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_00A239460_2_00A23946
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA2CE10_2_02DA2CE1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA00900_2_02DA0090
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA73900_2_02DA7390
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA13180_2_02DA1318
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA87140_2_02DA8714
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA35200_2_02DA3520
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA35110_2_02DA3511
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E181A0_2_0A8E181A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E016C0_2_0A8E016C
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E018E0_2_0A8E018E
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E06220_2_0A8E0622
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_00A239460_2_00A23946
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA2CE10_2_02DA2CE1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA00900_2_02DA0090
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA73900_2_02DA7390
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA13180_2_02DA1318
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA87140_2_02DA8714
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA35200_2_02DA3520
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA35110_2_02DA3511
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E181A0_2_0A8E181A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E016C0_2_0A8E016C
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E018E0_2_0A8E018E
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E06220_2_0A8E0622
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 3_2_001539463_2_00153946
        Source: invoicePDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: invoicePDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258146933.000000000A6B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259308905.000000000AF50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.251366861.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258769757.000000000A860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000003.00000000.249800736.0000000000166000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000004.00000000.250634386.00000000005B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exeBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258146933.000000000A6B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259308905.000000000AF50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.251366861.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258769757.000000000A860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000003.00000000.249800736.0000000000166000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000004.00000000.250634386.00000000005B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exeBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@0/1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731842 AdjustTokenPrivileges,0_2_07731842
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0773180B AdjustTokenPrivileges,0_2_0773180B
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731842 AdjustTokenPrivileges,0_2_07731842
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0773180B AdjustTokenPrivileges,0_2_0773180B
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{118a9c10-50c1-4e67-b833-b6bda89b9c6b}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_01
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\pmeEcpEELE
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{118a9c10-50c1-4e67-b833-b6bda89b9c6b}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_01
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\pmeEcpEELE
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69A8.tmpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69A8.tmpJump to behavior
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\invoicePDF.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\invoicePDF.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe 'C:\Users\user\Desktop\invoicePDF.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe 'C:\Users\user\Desktop\invoicePDF.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: invoicePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: invoicePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: invoicePDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: invoicePDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_012029F8 push cs; ret 0_2_01202A1A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_01202D91 push es; ret 0_2_01202D92
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DAEB33 push edx; ret 0_2_02DAEB3D
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_012029F8 push cs; ret 0_2_01202A1A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_01202D91 push es; ret 0_2_01202D92
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DAEB33 push edx; ret 0_2_02DAEB3D
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to dropped file
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Users\user\Desktop\invoicePDF.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Users\user\Desktop\invoicePDF.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX