Analysis Report PAYMENT_TT_COPYINVOICE001262021.pdf.exe

Overview

General Information

Sample Name: PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Analysis ID: 344664
MD5: 84f159a6d9b73e029d2b7e2c34cccf3b
SHA1: f941d4e4366561b492273b5d097119f296f7fa22
SHA256: 69e6c181fa23893493acdf273050519eee74c052a8240fb967bfe7bb2d687c2b

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5256.9.memstr Malware Configuration Extractor: NanoCore {"C2: ": ["91.193.75.45"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe Virustotal: Detection: 42% Perma Link
Multi AV Scanner detection for submitted file
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Virustotal: Detection: 42% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack Avira: Label: TR/NanoCore.fadte
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: System.pdbbp"dA source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: System.pdbb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: 32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000003.234792260.0000000001488000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.621749990.0000000003541000.00000004.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\System.pdbe source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218131146.0000000005300000.00000002.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624887466.0000000005C30000.00000002.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.228280342.0000000004910000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then jmp 02C3AD7Dh 0_2_02C3A869
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then jmp 02C3AD7Dh 0_2_02C3A897
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02C3B710
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02C3B720
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then jmp 02C3AD7Dh 0_2_02C3AC94
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then jmp 02C3AD7Dh 0_2_02C3ACB1
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then mov esp, ebp 3_2_031084E7
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then mov esp, ebp 3_2_031085AF
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then jmp 0239A665h 6_2_0239A151
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 6_2_0239AFD0
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 6_2_0239AFC0
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then jmp 0239A665h 6_2_0239A57C
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then jmp 0239A665h 6_2_0239A17F
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 4x nop then jmp 0239A665h 6_2_0239A599

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49720 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49726 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49764 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49765 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49768 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49769 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49770 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49781 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49782 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49783 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49784 -> 91.193.75.45:3387
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49785 -> 91.193.75.45:3387
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.193.75.45
Uses dynamic DNS services
Source: unknown DNS query: name: timnoipnew.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49719 -> 91.193.75.45:3387
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_03182DAA WSARecv, 3_2_03182DAA
Source: unknown DNS traffic detected: queries for: timnoipnew.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.625122849.0000000005F00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5f00000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5c90000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: initial sample Static PE information: Filename: PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_0549111E NtQuerySystemInformation, 0_2_0549111E
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_054910ED NtQuerySystemInformation, 0_2_054910ED
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_031815DE NtQuerySystemInformation, 3_2_031815DE
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_031815A3 NtQuerySystemInformation, 3_2_031815A3
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_04A40C56 NtQuerySystemInformation, 6_2_04A40C56
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_04A40C25 NtQuerySystemInformation, 6_2_04A40C25
Detected potential crypto function
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C312F8 0_2_02C312F8
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C31840 0_2_02C31840
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C315A8 0_2_02C315A8
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C33A6D 0_2_02C33A6D
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C32450 0_2_02C32450
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3243F 0_2_02C3243F
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C31597 0_2_02C31597
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_031023A0 3_2_031023A0
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_03102FA8 3_2_03102FA8
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_03109638 3_2_03109638
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_03108A38 3_2_03108A38
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_0310CE58 3_2_0310CE58
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_0310B298 3_2_0310B298
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_03103850 3_2_03103850
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_031096FF 3_2_031096FF
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_0310306F 3_2_0310306F
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_02391308 6_2_02391308
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_02398020 6_2_02398020
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_02391840 6_2_02391840
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_023915A8 6_2_023915A8
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_02393A6D 6_2_02393A6D
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_023912F8 6_2_023912F8
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_0239243F 6_2_0239243F
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_02392450 6_2_02392450
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_02391597 6_2_02391597
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 9_2_031E3850 9_2_031E3850
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 9_2_031E2FA8 9_2_031E2FA8
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 9_2_031E306F 9_2_031E306F
Sample file is different than original file name gathered from version info
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217779628.0000000004293000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePositiveSign.dll< vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218131146.0000000005300000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218559865.0000000005E70000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000000.208544459.0000000000ADC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218686980.0000000005F70000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218686980.0000000005F70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217424729.0000000003171000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSoapName.dll2 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000000.215184824.0000000000D8C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.621749990.0000000003541000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619591305.0000000003150000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624887466.0000000005C30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.228339752.0000000004A10000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSoapName.dll2 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.230767566.0000000005580000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.230767566.0000000005580000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.226688408.00000000000CC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.229561806.0000000004DD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePositiveSign.dll< vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.230573821.0000000005480000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.226992512.000000000085A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.228280342.0000000004910000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000000.225963442.0000000000E6C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.243232065.0000000005750000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Binary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Uses 32bit PE files
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.625122849.0000000005F00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.625122849.0000000005F00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5f00000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5f00000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5c90000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5c90000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: KIgtQYTewUpkIc.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/9@32/2
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_05490FA2 AdjustTokenPrivileges, 0_2_05490FA2
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_05490F6B AdjustTokenPrivileges, 0_2_05490F6B
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_0318139E AdjustTokenPrivileges, 3_2_0318139E
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_03181367 AdjustTokenPrivileges, 3_2_03181367
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_04A40ADA AdjustTokenPrivileges, 6_2_04A40ADA
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 6_2_04A40AA3 AdjustTokenPrivileges, 6_2_04A40AA3
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File created: C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{7bde8b34-23a2-4eb0-b342-f2ec89249790}
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_01
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp Jump to behavior
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Virustotal: Detection: 42%
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File read: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe 'C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8731.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe 0
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F15.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8731.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F15.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.pdbbp"dA source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: System.pdbb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: 32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000003.234792260.0000000001488000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.621749990.0000000003541000.00000004.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\System.pdbe source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: indows\System.pdbpdbtem.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218131146.0000000005300000.00000002.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624887466.0000000005C30000.00000002.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.228280342.0000000004910000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0x9A57B927 [Sun Jan 21 08:58:15 2052 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_011A7A16 push cs; ret 0_2_011A7A46
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_011A778A push ecx; ret 0_2_011A778D
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_011A7A3B push cs; ret 0_2_011A7A46
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_011A7B59 push cs; ret 0_2_011A7B5A
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37ACB push edi; ret 0_2_02C37ACE
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37AF3 pushad ; ret 0_2_02C37AF6
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37A87 push 5B6602C3h; ret 0_2_02C37A96
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37AA7 push edx; ret 0_2_02C37AAA
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37A43 push eax; ret 0_2_02C37A46
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37A4F push edx; ret 0_2_02C37A52
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37A53 push ebp; ret 0_2_02C37A5A
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37A07 push esi; ret 0_2_02C37A0E
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37A1F push ebx; ret 0_2_02C37A22
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3235B push ds; ret 0_2_02C3235E
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C32333 push ds; ret 0_2_02C32336
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C378CB push eax; ret 0_2_02C378CE
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37887 push edi; ret 0_2_02C37896
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3784B pushad ; ret 0_2_02C37852
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37807 push ebx; ret 0_2_02C3780A
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C379C3 push ecx; ret 0_2_02C379CA
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C379EB push edi; ret 0_2_02C379F2
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C379FB push edx; ret 0_2_02C379FE
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37987 pushad ; ret 0_2_02C3798E
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3799B push esp; ret 0_2_02C379A2
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3797F push edi; ret 0_2_02C37986
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37697 push 56DE02C3h; ret 0_2_02C3769E
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C37667 push eax; ret 0_2_02C37682
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3761F push esp; ret 0_2_02C37622
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3762F push edx; ret 0_2_02C37632
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3774F pushad ; ret 0_2_02C37756
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 0_2_02C3775B push 5CE002C3h; ret 0_2_02C37766
Source: initial sample Static PE information: section name: .text entropy: 7.68934855761
Source: initial sample Static PE information: section name: .text entropy: 7.68934855761
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File created: C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File opened: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.217488646.00000000031E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.217424729.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.227611167.0000000002721000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217488646.00000000031E8000.00000004.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217488646.00000000031E8000.00000004.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Window / User API: threadDelayed 565 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Window / User API: threadDelayed 744 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Window / User API: foregroundWindowGot 1277 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Window / User API: foregroundWindowGot 427 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 5748 Thread sleep time: -53560s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 5352 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 1276 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 2292 Thread sleep time: -260000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 1376 Thread sleep time: -49072s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 2296 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 3112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_031810C6 GetSystemInfo, 3_2_031810C6
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp Binary or memory string: vmware
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.618953714.000000000142A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)Py
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.618953714.000000000142A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWS#:
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Memory written: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Memory written: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8731.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F15.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Process created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Jump to behavior
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.622758634.0000000003703000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619382768.0000000001C50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619382768.0000000001C50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619382768.0000000001C50000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.618953714.000000000142A000.00000004.00000020.sdmp Binary or memory string: Program Managere=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.621749990.0000000003541000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Yara detected Nanocore RAT
Source: Yara match File source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_031828EE bind, 3_2_031828EE
Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe Code function: 3_2_0318289C bind, 3_2_0318289C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344664 Sample: PAYMENT_TT_COPYINVOICE00126... Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 44 timnoipnew.ddns.net 2->44 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 18 other signatures 2->58 9 PAYMENT_TT_COPYINVOICE001262021.pdf.exe 7 2->9         started        13 PAYMENT_TT_COPYINVOICE001262021.pdf.exe 4 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\KIgtQYTewUpkIc.exe, PE32 9->36 dropped 38 C:\...\KIgtQYTewUpkIc.exe:Zone.Identifier, ASCII 9->38 dropped 40 C:\Users\user\AppData\Local\...\tmp4B0D.tmp, XML 9->40 dropped 42 PAYMENT_TT_COPYINV...1262021.pdf.exe.log, ASCII 9->42 dropped 60 Injects a PE file into a foreign processes 9->60 15 PAYMENT_TT_COPYINVOICE001262021.pdf.exe 11 9->15         started        20 schtasks.exe 1 9->20         started        22 schtasks.exe 1 13->22         started        24 PAYMENT_TT_COPYINVOICE001262021.pdf.exe 2 13->24         started        signatures6 process7 dnsIp8 46 timnoipnew.ddns.net 91.193.75.45, 3387, 49719, 49720 DAVID_CRAIGGG Serbia 15->46 48 192.168.2.1 unknown unknown 15->48 34 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->34 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->50 26 schtasks.exe 1 15->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file9 signatures10 process11 process12 32 conhost.exe 26->32         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.193.75.45
 unknown Serbia
209623 DAVID_CRAIGGG true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
timnoipnew.ddns.net 91.193.75.45 true