Analysis Report OUTSTANDING INVOICE.pdf.scr

Overview

General Information

Sample Name: OUTSTANDING INVOICE.pdf.scr (renamed file extension from scr to exe)
Analysis ID: 433312
MD5: 416ccd703aff8844f0454e112f663c06
SHA1: 1db05b7beda1a9e4fb0c4cd8e04c512c98efdf3c
SHA256: e1b2ca52707d724682e2c2618eb33899b019e8650e325e800e43e2042231f55d
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e7a66d0e-8937-40e7-aaea-a267e5d3", "Group": "MAY 09 2021", "Domain1": "194.5.98.28", "Domain2": "brownhost22.ddns.net", "Port": 2021, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Metadefender: Detection: 13% Perma Link
Source: C:\Users\user\AppData\Local\Temp\windows update.exe ReversingLabs: Detection: 12%
Source: C:\Users\user\Documents\windows update.exe ReversingLabs: Detection: 51%
Multi AV Scanner detection for submitted file
Source: OUTSTANDING INVOICE.pdf.exe Virustotal: Detection: 26% Perma Link
Source: OUTSTANDING INVOICE.pdf.exe ReversingLabs: Detection: 51%
Yara detected Nanocore RAT
Source: Yara match File source: 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.738992009.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931420211.000000000364C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.914832988.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697836109.000000000394C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.930250382.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931144467.0000000003528000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: windows update.exe PID: 4552, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6684, type: MEMORY
Source: Yara match File source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39c5403.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365ff84.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365ff84.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.36645ad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.36c4fab.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3692412.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\Documents\windows update.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: OUTSTANDING INVOICE.pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.InstallUtil.exe.58b0000.10.unpack Avira: Label: TR/NanoCore.fadte
Source: 11.2.InstallUtil.exe.700000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.InstallUtil.exe.700000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.InstallUtil.exe.700000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: OUTSTANDING INVOICE.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: OUTSTANDING INVOICE.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000B.00000000.737451580.0000000000312000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_070F2C80
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_070F2C70
Source: C:\Users\user\Documents\windows update.exe Code function: 4x nop then jmp 0624CDCFh 6_2_0624CC90
Source: C:\Users\user\Documents\windows update.exe Code function: 4x nop then jmp 0624E2F5h 6_2_0624E160
Source: C:\Users\user\Documents\windows update.exe Code function: 4x nop then jmp 0624CDCFh 6_2_0624CC82
Source: C:\Users\user\Documents\windows update.exe Code function: 4x nop then jmp 0624E2F5h 6_2_0624E14F
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Code function: 4x nop then jmp 01090799h 12_2_01090560
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Code function: 4x nop then jmp 01090799h 12_2_01090552
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Code function: 4x nop then jmp 00AD0799h 13_2_00AD0560
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Code function: 4x nop then jmp 00AD0799h 13_2_00AD0552

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: brownhost22.ddns.net
Source: Malware configuration extractor URLs: 194.5.98.28
Uses dynamic DNS services
Source: unknown DNS query: name: brownhost22.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49765 -> 194.5.98.28:2021
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.5.98.28 194.5.98.28
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Source: unknown DNS traffic detected: queries for: brownhost22.ddns.net
Source: windows update.exe, 00000005.00000002.713354180.0000000000D12000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696754008.000000000284F000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.713354180.0000000000D12000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: windows update.exe, 00000005.00000002.713354180.0000000000D12000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: windows update.exe, 00000005.00000002.714927650.0000000002E24000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: windows update.exe, 00000005.00000002.714927650.0000000002E24000.00000004.00000001.sdmp String found in binary or memory: http://dual-a-0001.a-msedge.net
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000003.663994887.0000000006C26000.00000004.00000001.sdmp, OUTSTANDING INVOICE.pdf.exe, 00000000.00000003.695725968.0000000006C2D000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000003.663994887.0000000006C26000.00000004.00000001.sdmp, OUTSTANDING INVOICE.pdf.exe, 00000000.00000003.695725968.0000000006C2D000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: windows update.exe, 00000006.00000003.722676487.00000000068A6000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/gMa
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000003.663994887.0000000006C26000.00000004.00000001.sdmp, OUTSTANDING INVOICE.pdf.exe, 00000000.00000003.695725968.0000000006C2D000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000003.661817036.0000000006C26000.00000004.00000001.sdmp String found in binary or memory: http://ns.d
Source: windows update.exe, 00000005.00000002.714927650.0000000002E24000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696816747.000000000287D000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.714927650.0000000002E24000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: windows update.exe, 00000005.00000002.713354180.0000000000D12000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696754008.000000000284F000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.713354180.0000000000D12000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696754008.000000000284F000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.713354180.0000000000D12000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696795598.0000000002866000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.714839160.0000000002DF1000.00000004.00000001.sdmp, windows update.exe, 00000006.00000002.923367629.000000000254E000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696715422.0000000002821000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.713721843.0000000002AA1000.00000004.00000001.sdmp, windows update.exe, 00000006.00000002.923086971.0000000002521000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: windows update.exe, 00000005.00000002.714839160.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com
Source: windows update.exe, 00000005.00000002.713354180.0000000000D12000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696795598.0000000002866000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.714839160.0000000002DF1000.00000004.00000001.sdmp, windows update.exe, 00000006.00000002.923367629.000000000254E000.00000004.00000001.sdmp, windows update.exe, 00000006.00000002.923453182.0000000002565000.00000004.00000001.sdmp String found in binary or memory: https://www.google.
Source: windows update.exe, 00000005.00000002.714839160.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.$
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696715422.0000000002821000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.713721843.0000000002AA1000.00000004.00000001.sdmp, windows update.exe, 00000006.00000002.923086971.0000000002521000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696715422.0000000002821000.00000004.00000001.sdmp, windows update.exe, 00000005.00000002.713721843.0000000002AA1000.00000004.00000001.sdmp, windows update.exe, 00000006.00000002.923086971.0000000002521000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: windows update.exe, 00000005.00000002.714809706.0000000002DE8000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com4Wk2
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.696754008.000000000284F000.00000004.00000001.sdmp String found in binary or memory: https://www.google.h
Source: windows update.exe, 00000006.00000002.923367629.000000000254E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.imag

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: windows update.exe, 0000000C.00000002.758894350.0000000000E18000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.738992009.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931420211.000000000364C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.914832988.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697836109.000000000394C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.930250382.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931144467.0000000003528000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: windows update.exe PID: 4552, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6684, type: MEMORY
Source: Yara match File source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39c5403.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365ff84.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365ff84.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.36645ad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.36c4fab.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3692412.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.738992009.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.738992009.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.931420211.000000000364C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.931420211.000000000364C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.914832988.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.914832988.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.697836109.000000000394C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.697836109.000000000394C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.929762962.0000000004FE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.930250382.00000000058B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.931144467.0000000003528000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.931144467.0000000003528000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: windows update.exe PID: 4552, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: windows update.exe PID: 4552, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 6684, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 6684, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.InstallUtil.exe.4fe0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.InstallUtil.exe.58b4629.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39c5403.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39c5403.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.InstallUtil.exe.365ff84.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.InstallUtil.exe.365ff84.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.InstallUtil.exe.58b0000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.InstallUtil.exe.2666040.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.InstallUtil.exe.36645ad.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.36c4fab.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.36c4fab.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.3692412.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.3692412.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.InstallUtil.exe.58b0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large array initializations
Source: OUTSTANDING INVOICE.pdf.exe, q9S/Lc5.cs Large array initialization: .cctor: array initializer size 3852
Source: windows update.exe.0.dr, q9S/Lc5.cs Large array initialization: .cctor: array initializer size 3852
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.4e0000.0.unpack, q9S/Lc5.cs Large array initialization: .cctor: array initializer size 3852
Source: 0.0.OUTSTANDING INVOICE.pdf.exe.4e0000.0.unpack, q9S/Lc5.cs Large array initialization: .cctor: array initializer size 3852
Source: 5.0.windows update.exe.740000.0.unpack, q9S/Lc5.cs Large array initialization: .cctor: array initializer size 3852
Source: 5.2.windows update.exe.740000.0.unpack, q9S/Lc5.cs Large array initialization: .cctor: array initializer size 3852
Source: 6.0.windows update.exe.c0000.0.unpack, q9S/Lc5.cs Large array initialization: .cctor: array initializer size 3852
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: OUTSTANDING INVOICE.pdf.exe
Source: initial sample Static PE information: Filename: OUTSTANDING INVOICE.pdf.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_06241AFC CreateProcessAsUserW, 6_2_06241AFC
Detected potential crypto function
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_00DBEE70 0_2_00DBEE70
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_00DBD308 0_2_00DBD308
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_070F1118 0_2_070F1118
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_070F1113 0_2_070F1113
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_070F0023 0_2_070F0023
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_070F0040 0_2_070F0040
Source: C:\Users\user\Documents\windows update.exe Code function: 5_2_02A5EE70 5_2_02A5EE70
Source: C:\Users\user\Documents\windows update.exe Code function: 5_2_02A5D308 5_2_02A5D308
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_00B7EE70 6_2_00B7EE70
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_00B7D308 6_2_00B7D308
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_0624A6E9 6_2_0624A6E9
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_06241EC0 6_2_06241EC0
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_06245ED1 6_2_06245ED1
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_062457AE 6_2_062457AE
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_06243CE0 6_2_06243CE0
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_062429B7 6_2_062429B7
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_062411F0 6_2_062411F0
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_06247DF9 6_2_06247DF9
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_0624B318 6_2_0624B318
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_062488E0 6_2_062488E0
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_06247148 6_2_06247148
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_06247158 6_2_06247158
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_062495A0 6_2_062495A0
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_062475C0 6_2_062475C0
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_062475D0 6_2_062475D0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 11_2_003120B0 11_2_003120B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 11_2_024CE471 11_2_024CE471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 11_2_024CE480 11_2_024CE480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 11_2_024CBBD4 11_2_024CBBD4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\windows update.exe 2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
Sample file is different than original file name gathered from version info
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.701321031.0000000006410000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs OUTSTANDING INVOICE.pdf.exe
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.702071465.0000000007100000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs OUTSTANDING INVOICE.pdf.exe
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.697271627.0000000002A8B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs OUTSTANDING INVOICE.pdf.exe
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.702234051.00000000071F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs OUTSTANDING INVOICE.pdf.exe
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.702234051.00000000071F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OUTSTANDING INVOICE.pdf.exe
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.700463444.00000000059A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs OUTSTANDING INVOICE.pdf.exe
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.695985058.000000000059A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAdobe Download ManagerN vs OUTSTANDING INVOICE.pdf.exe
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.701529245.0000000006710000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs OUTSTANDING INVOICE.pdf.exe
Source: OUTSTANDING INVOICE.pdf.exe Binary or memory string: OriginalFilenameAdobe Download ManagerN vs OUTSTANDING INVOICE.pdf.exe
Uses 32bit PE files
Source: OUTSTANDING INVOICE.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.738992009.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.738992009.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.931420211.000000000364C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.931420211.000000000364C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.914832988.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.914832988.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.697836109.000000000394C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.697836109.000000000394C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.929762962.0000000004FE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.929762962.0000000004FE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.930250382.00000000058B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.930250382.00000000058B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.931144467.0000000003528000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.931144467.0000000003528000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: windows update.exe PID: 4552, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: windows update.exe PID: 4552, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 6684, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 6684, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.InstallUtil.exe.4fe0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.4fe0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.InstallUtil.exe.58b4629.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.58b4629.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39c5403.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39c5403.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.InstallUtil.exe.365ff84.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.365ff84.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.InstallUtil.exe.365ff84.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.365ff84.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.InstallUtil.exe.58b0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.58b0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.InstallUtil.exe.2666040.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.2666040.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.InstallUtil.exe.36645ad.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.36645ad.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.36c4fab.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.36c4fab.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.3692412.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.3692412.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.InstallUtil.exe.58b0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.InstallUtil.exe.58b0000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: classification engine Classification label: mal100.troj.evad.winEXE@54/32@8/2
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows update.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{e7a66d0e-8937-40e7-aaea-a267e5d3f96b}
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: OUTSTANDING INVOICE.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Documents\windows update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Documents\windows update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Documents\windows update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Documents\windows update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Documents\windows update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Documents\windows update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: OUTSTANDING INVOICE.pdf.exe Virustotal: Detection: 26%
Source: OUTSTANDING INVOICE.pdf.exe ReversingLabs: Detection: 51%
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File read: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe 'C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe'
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process created: C:\Users\user\Documents\windows update.exe 'C:\Users\user\Documents\windows update.exe'
Source: unknown Process created: C:\Users\user\Documents\windows update.exe 'C:\Users\user\Documents\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process created: C:\Users\user\Documents\windows update.exe 'C:\Users\user\Documents\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: OUTSTANDING INVOICE.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: OUTSTANDING INVOICE.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000B.00000000.737451580.0000000000312000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: windows update.exe.6.dr Static PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_004E3F02 push ss; retf 0_2_004E3FD2
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_004E24C4 pushfd ; ret 0_2_004E24C5
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_004E3F9F push ss; retf 0_2_004E3FD2
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Code function: 0_2_004E3C9C push 704C7DF1h; ret 0_2_004E3CA6
Source: C:\Users\user\Documents\windows update.exe Code function: 5_2_00743F02 push ss; retf 5_2_00743FD2
Source: C:\Users\user\Documents\windows update.exe Code function: 5_2_007424C4 pushfd ; ret 5_2_007424C5
Source: C:\Users\user\Documents\windows update.exe Code function: 5_2_00743C9C push 704C7DF1h; ret 5_2_00743CA6
Source: C:\Users\user\Documents\windows update.exe Code function: 5_2_00743F9F push ss; retf 5_2_00743FD2
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_000C3F02 push ss; retf 6_2_000C3FD2
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_000C3C9C push 704C7DF1h; ret 6_2_000C3CA6
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_000C3F9F push ss; retf 6_2_000C3FD2
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_000C24C4 pushfd ; ret 6_2_000C24C5
Source: C:\Users\user\Documents\windows update.exe Code function: 6_2_06170001 push es; retf 6_2_06170014
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 11_2_024CC8D9 push edx; retf 11_2_024CC922
Source: OUTSTANDING INVOICE.pdf.exe, Tn2i/Ta0o.cs High entropy of concatenated method names: '.ctor', 'f4C1', 'Zt08', 'Tm78', 'r3L7', 'Rg14', 'Ae21', 'd1C5', 'y8DC', 'p0L2'
Source: OUTSTANDING INVOICE.pdf.exe, d6G4/y8JZ.cs High entropy of concatenated method names: '.ctor', 'Ge70', 'Hy45', 'z1WN', 'p6G7', 'Qs9d', 'Lz79', 'Qd81', 'Gz73', 'Bg18'
Source: windows update.exe.0.dr, Tn2i/Ta0o.cs High entropy of concatenated method names: '.ctor', 'f4C1', 'Zt08', 'Tm78', 'r3L7', 'Rg14', 'Ae21', 'd1C5', 'y8DC', 'p0L2'
Source: windows update.exe.0.dr, d6G4/y8JZ.cs High entropy of concatenated method names: '.ctor', 'Ge70', 'Hy45', 'z1WN', 'p6G7', 'Qs9d', 'Lz79', 'Qd81', 'Gz73', 'Bg18'
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.4e0000.0.unpack, Tn2i/Ta0o.cs High entropy of concatenated method names: '.ctor', 'f4C1', 'Zt08', 'Tm78', 'r3L7', 'Rg14', 'Ae21', 'd1C5', 'y8DC', 'p0L2'
Source: 0.2.OUTSTANDING INVOICE.pdf.exe.4e0000.0.unpack, d6G4/y8JZ.cs High entropy of concatenated method names: '.ctor', 'Ge70', 'Hy45', 'z1WN', 'p6G7', 'Qs9d', 'Lz79', 'Qd81', 'Gz73', 'Bg18'
Source: 0.0.OUTSTANDING INVOICE.pdf.exe.4e0000.0.unpack, Tn2i/Ta0o.cs High entropy of concatenated method names: '.ctor', 'f4C1', 'Zt08', 'Tm78', 'r3L7', 'Rg14', 'Ae21', 'd1C5', 'y8DC', 'p0L2'
Source: 0.0.OUTSTANDING INVOICE.pdf.exe.4e0000.0.unpack, d6G4/y8JZ.cs High entropy of concatenated method names: '.ctor', 'Ge70', 'Hy45', 'z1WN', 'p6G7', 'Qs9d', 'Lz79', 'Qd81', 'Gz73', 'Bg18'
Source: 5.0.windows update.exe.740000.0.unpack, Tn2i/Ta0o.cs High entropy of concatenated method names: '.ctor', 'f4C1', 'Zt08', 'Tm78', 'r3L7', 'Rg14', 'Ae21', 'd1C5', 'y8DC', 'p0L2'
Source: 5.0.windows update.exe.740000.0.unpack, d6G4/y8JZ.cs High entropy of concatenated method names: '.ctor', 'Ge70', 'Hy45', 'z1WN', 'p6G7', 'Qs9d', 'Lz79', 'Qd81', 'Gz73', 'Bg18'
Source: 5.2.windows update.exe.740000.0.unpack, Tn2i/Ta0o.cs High entropy of concatenated method names: '.ctor', 'f4C1', 'Zt08', 'Tm78', 'r3L7', 'Rg14', 'Ae21', 'd1C5', 'y8DC', 'p0L2'
Source: 5.2.windows update.exe.740000.0.unpack, d6G4/y8JZ.cs High entropy of concatenated method names: '.ctor', 'Ge70', 'Hy45', 'z1WN', 'p6G7', 'Qs9d', 'Lz79', 'Qd81', 'Gz73', 'Bg18'
Source: windows update.exe.6.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: windows update.exe.6.dr, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: windows update.exe.6.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: windows update.exe.6.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: windows update.exe.6.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: 6.0.windows update.exe.c0000.0.unpack, Tn2i/Ta0o.cs High entropy of concatenated method names: '.ctor', 'f4C1', 'Zt08', 'Tm78', 'r3L7', 'Rg14', 'Ae21', 'd1C5', 'y8DC', 'p0L2'
Source: 6.0.windows update.exe.c0000.0.unpack, d6G4/y8JZ.cs High entropy of concatenated method names: '.ctor', 'Ge70', 'Hy45', 'z1WN', 'p6G7', 'Qs9d', 'Lz79', 'Qd81', 'Gz73', 'Bg18'

Persistence and Installation Behavior:

barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File created: C:\Users\user\Documents\windows update.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File created: C:\Users\user\Documents\windows update.exe Jump to dropped file
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\Documents\windows update.exe File created: C:\Users\user\AppData\Local\Temp\windows update.exe Jump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows update.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows update.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe File opened: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Documents\windows update.exe File opened: C:\Users\user\Documents\windows update.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Temp\InstallUtil.exe:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: OUTSTANDING INVOICE.pdf.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\windows update.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Window / User API: threadDelayed 536 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Window / User API: threadDelayed 356 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Window / User API: threadDelayed 4391 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Window / User API: threadDelayed 4836 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 3008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 6572 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: foregroundWindowGot 619 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe TID: 5748 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe TID: 1380 Thread sleep count: 536 > 30 Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe TID: 5808 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe TID: 3296 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 6588 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 6076 Thread sleep count: 356 > 30 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 4584 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 6920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 5740 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 6220 Thread sleep count: 4391 > 30 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 6220 Thread sleep count: 4836 > 30 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 5780 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe TID: 5780 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6656 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 6928 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 5856 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 5620 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 1472 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 4600 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 5340 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 6428 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 6516 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 5460 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 7136 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 6520 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windows update.exe TID: 6928 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Thread delayed: delay time: 922337203685477
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.700463444.00000000059A0000.00000002.00000001.sdmp, windows update.exe, 00000005.00000002.718930108.0000000005B10000.00000002.00000001.sdmp, InstallUtil.exe, 0000000B.00000002.930717255.0000000006180000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: windows update.exe, 0000000F.00000002.771517383.00000000011BC000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{f<Z
Source: windows update.exe, 0000000F.00000002.771517383.00000000011BC000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: OUTSTANDING INVOICE.pdf.exe Binary or memory string: Dk/mhgfsdcb
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.700463444.00000000059A0000.00000002.00000001.sdmp, windows update.exe, 00000005.00000002.718930108.0000000005B10000.00000002.00000001.sdmp, InstallUtil.exe, 0000000B.00000002.930717255.0000000006180000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.700463444.00000000059A0000.00000002.00000001.sdmp, windows update.exe, 00000005.00000002.718930108.0000000005B10000.00000002.00000001.sdmp, InstallUtil.exe, 0000000B.00000002.930717255.0000000006180000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: windows update.exe, 00000005.00000002.713343664.0000000000D03000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlligurn4Zx>
Source: windows update.exe, 00000016.00000002.798658964.0000000001234000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: InstallUtil.exe, 0000000B.00000003.812584282.00000000009EC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.700463444.00000000059A0000.00000002.00000001.sdmp, windows update.exe, 00000005.00000002.718930108.0000000005B10000.00000002.00000001.sdmp, InstallUtil.exe, 0000000B.00000002.930717255.0000000006180000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Documents\windows update.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 700000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Documents\windows update.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 700000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Documents\windows update.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 700000 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 702000 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 720000 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 722000 Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 45A008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Process created: C:\Users\user\Documents\windows update.exe 'C:\Users\user\Documents\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe' Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: C:\Users\user\AppData\Local\Temp\windows update.exe 'C:\Users\user\AppData\Local\Temp\windows update.exe'
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Process created: unknown unknown
Source: windows update.exe, 00000006.00000002.922306110.0000000000F20000.00000002.00000001.sdmp, InstallUtil.exe, 0000000B.00000002.930699068.000000000617C000.00000004.00000001.sdmp, windows update.exe, 0000000D.00000002.916897577.0000000000E80000.00000002.00000001.sdmp, windows update.exe, 00000011.00000002.920296404.00000000018F0000.00000002.00000001.sdmp, windows update.exe, 00000014.00000002.917181684.0000000001590000.00000002.00000001.sdmp, windows update.exe, 00000017.00000002.920897775.00000000012F0000.00000002.00000001.sdmp, windows update.exe, 00000019.00000002.918844745.00000000012E0000.00000002.00000001.sdmp, windows update.exe, 0000001B.00000002.920762051.0000000001C90000.00000002.00000001.sdmp, windows update.exe, 0000001D.00000002.920760464.0000000001880000.00000002.00000001.sdmp, windows update.exe, 00000020.00000002.918144621.0000000001070000.00000002.00000001.sdmp, windows update.exe, 00000022.00000002.917058067.0000000001B40000.00000002.00000001.sdmp, windows update.exe, 00000024.00000002.918146023.00000000012C0000.00000002.00000001.sdmp, windows update.exe, 00000026.00000002.921010207.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: windows update.exe, 00000006.00000002.922306110.0000000000F20000.00000002.00000001.sdmp, InstallUtil.exe, 0000000B.00000002.919959970.0000000001070000.00000002.00000001.sdmp, windows update.exe, 0000000D.00000002.916897577.0000000000E80000.00000002.00000001.sdmp, windows update.exe, 00000011.00000002.920296404.00000000018F0000.00000002.00000001.sdmp, windows update.exe, 00000014.00000002.917181684.0000000001590000.00000002.00000001.sdmp, windows update.exe, 00000017.00000002.920897775.00000000012F0000.00000002.00000001.sdmp, windows update.exe, 00000019.00000002.918844745.00000000012E0000.00000002.00000001.sdmp, windows update.exe, 0000001B.00000002.920762051.0000000001C90000.00000002.00000001.sdmp, windows update.exe, 0000001D.00000002.920760464.0000000001880000.00000002.00000001.sdmp, windows update.exe, 00000020.00000002.918144621.0000000001070000.00000002.00000001.sdmp, windows update.exe, 00000022.00000002.917058067.0000000001B40000.00000002.00000001.sdmp, windows update.exe, 00000024.00000002.918146023.00000000012C0000.00000002.00000001.sdmp, windows update.exe, 00000026.00000002.921010207.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: windows update.exe, 00000006.00000002.922306110.0000000000F20000.00000002.00000001.sdmp, InstallUtil.exe, 0000000B.00000002.919959970.0000000001070000.00000002.00000001.sdmp, windows update.exe, 0000000D.00000002.916897577.0000000000E80000.00000002.00000001.sdmp, windows update.exe, 00000011.00000002.920296404.00000000018F0000.00000002.00000001.sdmp, windows update.exe, 00000014.00000002.917181684.0000000001590000.00000002.00000001.sdmp, windows update.exe, 00000017.00000002.920897775.00000000012F0000.00000002.00000001.sdmp, windows update.exe, 00000019.00000002.918844745.00000000012E0000.00000002.00000001.sdmp, windows update.exe, 0000001B.00000002.920762051.0000000001C90000.00000002.00000001.sdmp, windows update.exe, 0000001D.00000002.920760464.0000000001880000.00000002.00000001.sdmp, windows update.exe, 00000020.00000002.918144621.0000000001070000.00000002.00000001.sdmp, windows update.exe, 00000022.00000002.917058067.0000000001B40000.00000002.00000001.sdmp, windows update.exe, 00000024.00000002.918146023.00000000012C0000.00000002.00000001.sdmp, windows update.exe, 00000026.00000002.921010207.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: InstallUtil.exe, 0000000B.00000002.931247033.00000000063AD000.00000004.00000001.sdmp Binary or memory string: Program Manager 4L
Source: InstallUtil.exe, 0000000B.00000002.922259548.00000000026EA000.00000004.00000001.sdmp Binary or memory string: Program Manager|$
Source: windows update.exe, 00000006.00000002.922306110.0000000000F20000.00000002.00000001.sdmp, InstallUtil.exe, 0000000B.00000002.919959970.0000000001070000.00000002.00000001.sdmp, windows update.exe, 0000000D.00000002.916897577.0000000000E80000.00000002.00000001.sdmp, windows update.exe, 00000011.00000002.920296404.00000000018F0000.00000002.00000001.sdmp, windows update.exe, 00000014.00000002.917181684.0000000001590000.00000002.00000001.sdmp, windows update.exe, 00000017.00000002.920897775.00000000012F0000.00000002.00000001.sdmp, windows update.exe, 00000019.00000002.918844745.00000000012E0000.00000002.00000001.sdmp, windows update.exe, 0000001B.00000002.920762051.0000000001C90000.00000002.00000001.sdmp, windows update.exe, 0000001D.00000002.920760464.0000000001880000.00000002.00000001.sdmp, windows update.exe, 00000020.00000002.918144621.0000000001070000.00000002.00000001.sdmp, windows update.exe, 00000022.00000002.917058067.0000000001B40000.00000002.00000001.sdmp, windows update.exe, 00000024.00000002.918146023.00000000012C0000.00000002.00000001.sdmp, windows update.exe, 00000026.00000002.921010207.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: InstallUtil.exe, 0000000B.00000002.930568254.0000000005C6D000.00000004.00000001.sdmp Binary or memory string: Program Managert

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Users\user\Documents\windows update.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Users\user\Documents\windows update.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\windows update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windows update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.738992009.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931420211.000000000364C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.914832988.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697836109.000000000394C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.930250382.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931144467.0000000003528000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: windows update.exe PID: 4552, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6684, type: MEMORY
Source: Yara match File source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39c5403.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365ff84.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365ff84.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.36645ad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.36c4fab.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3692412.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE
Searches for user specific document files
Source: C:\Users\user\Desktop\OUTSTANDING INVOICE.pdf.exe Directory queried: C:\Users\user\Documents Jump to behavior

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: OUTSTANDING INVOICE.pdf.exe, 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: windows update.exe, 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0000000B.00000000.738643631.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931537578.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.738992009.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.698113969.0000000003AAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.925828807.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931420211.000000000364C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.914832988.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.697836109.000000000394C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.930250382.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.931144467.0000000003528000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: windows update.exe PID: 4552, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6684, type: MEMORY
Source: Yara match File source: 6.2.windows update.exe.36d8222.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37efa00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365b14e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.36d8222.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37efa00.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3aefe58.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39c5403.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.39d867a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3692412.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37dc79b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37a9c02.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3529510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365ff84.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.365ff84.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.36645ad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.InstallUtil.exe.700000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.36c4fab.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.3adcbf3.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.3692412.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.InstallUtil.exe.58b0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.InstallUtil.exe.700000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OUTSTANDING INVOICE.pdf.exe.399286a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.windows update.exe.37a9c02.8.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433312 Sample: OUTSTANDING INVOICE.pdf.scr Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 52 brownhost22.ddns.net 2->52 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 12 other signatures 2->66 8 windows update.exe 5 2->8         started        12 OUTSTANDING INVOICE.pdf.exe 15 8 2->12         started        signatures3 process4 dnsIp5 42 C:\Users\user\AppData\...\windows update.exe, PE32 8->42 dropped 68 Writes to foreign memory regions 8->68 70 Allocates memory in foreign processes 8->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->72 74 Injects a PE file into a foreign processes 8->74 15 InstallUtil.exe 6 8->15         started        20 windows update.exe 8->20         started        22 windows update.exe 8->22         started        26 10 other processes 8->26 54 192.168.2.1 unknown unknown 12->54 44 C:\Users\user\Documents\windows update.exe, PE32 12->44 dropped 46 C:\Users\user\AppData\...\InstallUtil.exe, PE32 12->46 dropped 48 C:\...\windows update.exe:Zone.Identifier, ASCII 12->48 dropped 50 C:\Users\...\OUTSTANDING INVOICE.pdf.exe.log, ASCII 12->50 dropped 24 windows update.exe 14 3 12->24         started        file6 signatures7 process8 dnsIp9 56 brownhost22.ddns.net 194.5.98.28, 2021, 49765, 49766 DANILENKODE Netherlands 15->56 40 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->40 dropped 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->58 28 windows update.exe 20->28         started        30 windows update.exe 22->30         started        32 windows update.exe 26->32         started        34 windows update.exe 26->34         started        36 windows update.exe 26->36         started        38 6 other processes 26->38 file10 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.98.28
 brownhost22.ddns.net Netherlands
208476 DANILENKODE true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
brownhost22.ddns.net 194.5.98.28 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
brownhost22.ddns.net true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
194.5.98.28 true
  • Avira URL Cloud: safe
 unknown