Loading ...

Play interactive tourEdit tour

Analysis Report invoicePDF.exe

Overview

General Information

Sample Name:invoicePDF.exe
Analysis ID:320280
MD5:71fbb96e66805ffc1f477b3cd89e1a99
SHA1:deb4d9f604ac1502bc5cd601753e8b588a0eba0b
SHA256:78323d67f56b427a363820b094a4081e652b7e740c75e715fa96fb7ccf96795f
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoicePDF.exe (PID: 5548 cmdline: 'C:\Users\user\Desktop\invoicePDF.exe' MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
    • schtasks.exe (PID: 4392 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • invoicePDF.exe (PID: 4532 cmdline: {path} MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
    • invoicePDF.exe (PID: 3440 cmdline: {path} MD5: 71FBB96E66805FFC1F477B3CD89E1A99)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1da8ad:$x1: NanoCore.ClientPluginHost
  • 0x2844ed:$x1: NanoCore.ClientPluginHost
  • 0x1da8ea:$x2: IClientNetworkHost
  • 0x28452a:$x2: IClientNetworkHost
  • 0x1de41d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x28805d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1da615:$a: NanoCore
    • 0x1da625:$a: NanoCore
    • 0x1da859:$a: NanoCore
    • 0x1da86d:$a: NanoCore
    • 0x1da8ad:$a: NanoCore
    • 0x284255:$a: NanoCore
    • 0x284265:$a: NanoCore
    • 0x284499:$a: NanoCore
    • 0x2844ad:$a: NanoCore
    • 0x2844ed:$a: NanoCore
    • 0x1da674:$b: ClientPlugin
    • 0x1da876:$b: ClientPlugin
    • 0x1da8b6:$b: ClientPlugin
    • 0x2842b4:$b: ClientPlugin
    • 0x2844b6:$b: ClientPlugin
    • 0x2844f6:$b: ClientPlugin
    • 0x12f462:$c: ProjectData
    • 0x1da79b:$c: ProjectData
    • 0x2843db:$c: ProjectData
    • 0x13017b:$d: DESCrypto
    • 0x1db1a2:$d: DESCrypto
    00000000.00000002.252586380.0000000003122000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: invoicePDF.exe PID: 5548JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\invoicePDF.exe, ProcessId: 3440, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoicePDF.exe' , ParentImage: C:\Users\user\Desktop\invoicePDF.exe, ParentProcessId: 5548, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp', ProcessId: 4392

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORY
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: invoicePDF.exeJoe Sandbox ML: detected
        Source: invoicePDF.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 4x nop then jmp 0A8E2573h
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 4x nop then jmp 0A8E2573h

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: global trafficTCP traffic: 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: global trafficTCP traffic: 192.168.2.5:49711 -> 23.105.131.177:4545
        Source: Joe Sandbox ViewIP Address: 23.105.131.177 23.105.131.177
        Source: Joe Sandbox ViewIP Address: 23.105.131.177 23.105.131.177
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.177
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: invoicePDF.exe, 00000000.00000003.239254455.000000000776D000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: invoicePDF.exe, 00000000.00000003.238816781.0000000007769000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma7
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomma
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: invoicePDF.exe, 00000000.00000003.233861149.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
        Source: invoicePDF.exe, 00000000.00000003.235909054.000000000776B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-u
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/h
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm=o
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-i
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comu=
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr$
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krV
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmp, invoicePDF.exe, 00000000.00000003.233995308.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: invoicePDF.exe, 00000000.00000003.234026172.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcom
        Source: invoicePDF.exe, 00000000.00000003.234011048.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: invoicePDF.exe, 00000000.00000003.239254455.000000000776D000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: invoicePDF.exe, 00000000.00000003.238816781.0000000007769000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma7
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomma
        Source: invoicePDF.exe, 00000000.00000002.256205653.0000000007760000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: invoicePDF.exe, 00000000.00000003.233861149.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
        Source: invoicePDF.exe, 00000000.00000003.233823605.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
        Source: invoicePDF.exe, 00000000.00000003.235909054.000000000776B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-u
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/h
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm=o
        Source: invoicePDF.exe, 00000000.00000003.235832918.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-i
        Source: invoicePDF.exe, 00000000.00000003.235433616.000000000779D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
        Source: invoicePDF.exe, 00000000.00000003.236978150.0000000007764000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmp, invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: invoicePDF.exe, 00000000.00000003.233717553.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comu=
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr$
        Source: invoicePDF.exe, 00000000.00000003.234807091.0000000007766000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krV
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmp, invoicePDF.exe, 00000000.00000003.233995308.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: invoicePDF.exe, 00000000.00000003.234026172.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcom
        Source: invoicePDF.exe, 00000000.00000003.234011048.000000000777B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: invoicePDF.exe, 00000000.00000002.256342214.00000000078D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: invoicePDF.exeStatic file information: Suspicious name
        Source: invoicePDF.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: invoicePDF.exe
        Source: initial sampleStatic PE information: Filename: invoicePDF.exe
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731D12 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731CD8 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731D12 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731CD8 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_00A23946
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA2CE1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA0090
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA7390
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA1318
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA8714
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA3520
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA3511
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E181A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E016C
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E018E
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E0622
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_00A23946
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA2CE1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA0090
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA7390
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA1318
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA8714
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA3520
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DA3511
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E181A
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E016C
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E018E
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0A8E0622
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 3_2_00153946
        Source: invoicePDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: invoicePDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258146933.000000000A6B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259308905.000000000AF50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.251366861.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258769757.000000000A860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000003.00000000.249800736.0000000000166000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000004.00000000.250634386.00000000005B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exeBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258146933.000000000A6B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259308905.000000000AF50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: originalfilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.259580512.000000000B050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.251366861.0000000000A36000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000000.00000002.258769757.000000000A860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs invoicePDF.exe
        Source: invoicePDF.exe, 00000003.00000000.249800736.0000000000166000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exe, 00000004.00000000.250634386.00000000005B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: invoicePDF.exeBinary or memory string: OriginalFilename vs invoicePDF.exe
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255600273.0000000006D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qOrsEUNRoVVp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@0/1
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731842 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0773180B AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_07731842 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_0773180B AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{118a9c10-50c1-4e67-b833-b6bda89b9c6b}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_01
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\pmeEcpEELE
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{118a9c10-50c1-4e67-b833-b6bda89b9c6b}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_01
        Source: C:\Users\user\Desktop\invoicePDF.exeMutant created: \Sessions\1\BaseNamedObjects\pmeEcpEELE
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69A8.tmpJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69A8.tmpJump to behavior
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: invoicePDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\invoicePDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\invoicePDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\invoicePDF.exeJump to behavior
        Source: C:\Users\user\Desktop\invoicePDF.exeFile read: C:\Users\user\Desktop\invoicePDF.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe 'C:\Users\user\Desktop\invoicePDF.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe 'C:\Users\user\Desktop\invoicePDF.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess created: C:\Users\user\Desktop\invoicePDF.exe {path}
        Source: C:\Users\user\Desktop\invoicePDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\invoicePDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: invoicePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: invoicePDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: invoicePDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: invoicePDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: invoicePDF.exe, 00000000.00000002.257997774.000000000A650000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_012029F8 push cs; ret
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_01202D91 push es; ret
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DAEB33 push edx; ret
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_012029F8 push cs; ret
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_01202D91 push es; ret
        Source: C:\Users\user\Desktop\invoicePDF.exeCode function: 0_2_02DAEB33 push edx; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86853683687
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to dropped file
        Source: C:\Users\user\Desktop\invoicePDF.exeFile created: C:\Users\user\AppData\Roaming\qOrsEUNRoVVp.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qOrsEUNRoVVp' /XML 'C:\Users\user\AppData\Local\Temp\tmp69A8.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Users\user\Desktop\invoicePDF.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened: C:\Users\user\Desktop\invoicePDF.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.252586380.0000000003122000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: invoicePDF.exe PID: 5548, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\invoicePDF.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\invoicePDF.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\invoicePDF.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\invoicePDF.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\invoicePDF.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: threadDelayed 626
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: threadDelayed 709
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: foregroundWindowGot 688
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: foregroundWindowGot 700
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: threadDelayed 626
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: threadDelayed 709
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: foregroundWindowGot 688
        Source: C:\Users\user\Desktop\invoicePDF.exeWindow / User API: foregroundWindowGot 700
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5480Thread sleep time: -41500s >= -30000s
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5988Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 188 > 30
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 626 > 30
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 709 > 30
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5368Thread sleep time: -160000s >= -30000s
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5480Thread sleep time: -41500s >= -30000s
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5988Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 188 > 30
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 626 > 30
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 3456Thread sleep count: 709 > 30
        Source: C:\Users\user\Desktop\invoicePDF.exe TID: 5368Thread sleep time: -160000s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: vmwareX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE|9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: r#"SOFTWARE\VMware, Inc.\VMware ToolsX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware|9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware |9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWAREX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: QEMUX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: vmwareX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE|9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: r#"SOFTWARE\VMware, Inc.\VMware ToolsX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware|9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware |9
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWAREX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: QEMUX1
        Source: invoicePDF.exe, 00000000.00000002.253561844.00000000034A2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\invoicePDF.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\invoicePDF.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\invoicePDF.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex