Edit tour

Windows Analysis Report
Notteppad_SettupX32iX64.exe

Overview

General Information

Sample Name:	Notteppad_SettupX32iX64.exe
Analysis ID:	783578
MD5:	e7dfb892dbd65b0ed6fed69b20edf739
SHA1:	1cc4b53dcd7add65fe4b11531751b43f2d7e387d
SHA256:	2a4637eeb74d47ddbe7ff10f005806bce77ee877b9ae52f55bf6ae425cc3fcd5
Tags:	exeRhadamanthys
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contain functionality to detect virtual machines

Contains functionality to detect virtual machines (IN, VMware)

Searches for specific processes (likely to inject)

Found API chain indicative of debugger detection

Tries to harvest and steal Bitcoin Wallet information

Contains functionality to hide a thread from the debugger

Found many strings related to Crypto-Wallets (likely being stolen)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries device information via Setup API

Contains functionality to detect virtual machines (STR)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to detect virtual machines (SIDT)

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Contains functionality to read device registry values (via SetupAPI)

PE file contains more sections than normal

Yara detected Keylogger Generic

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

System is w10x64

Notteppad_SettupX32iX64.exe (PID: 5280 cmdline: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe MD5: E7DFB892DBD65B0ED6FED69B20EDF739)

rundll32.exe (PID: 5152 cmdline: "C:\Users\user\AppData\Roaming\nsis_uns6283e8.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DWvAEoAUB8AbyMAZv8AcQBtAHUAQc8ATABOJwAtAVlI|4PsKOgEAgAA|0iDxCjDzMzM|0yJRCQYSIlUfyQQSIlMJAhdAf9Ii0QkMEiJBO0kgQE4SG8ACEjHt0QkEC0B6w6BARCvSIPAAY8BEIEBQNtIOZYAcyWfA4sM|yRIA8hIi8FI64tMqwFUewAD0Uj|i8qKCYgI68F+ZgVlSIsEJWDz8P8zyUiLUBhIO||RdDZIg8IgSP+LAkg7wnQqZv+DeEgYdRpMi|9AUGZBgzhrdN0HERFLdQgREHgQ|y50BUiLAOvV10iLSP0AwWoAQFP|VVZXQVRBVUH3VkFXXQFmgTlN|1pNi|hMi|JI34vZD4X88|BMY|9JPEGBPAlQRd8AAA+F6vPwQYv3hAmI8|CFwEiN3zwBD4TWahGDvLsJjC0BD4TH8|BE|4tnIESLXxyL|3ckRItPGEwD|+FMA9lIA|Ezf8lFhckPhKTz8P9Ni8RBixBFM||SSAPTigKEwP90HUHByg0Pvr3A+gABRAPQvxF1|+xBgfqq|A18|3QOg8EBSYPA|wRBO8lzaevG|4vBD7cMTkWL|yyLTAPrdFgzfe2qEHRRQYsUwQD|0zPJigJMi8Jv6w|BycgRA8jlEO8BQYoA1RDtM8A|M|ZBOwy24BCmAP+DxgGD+Ahy7v|rCkiLy0H|1b9JiQT3g8XkEMS|BDtvGHKvZgFB|19BXkFdQVxf915dWzMXSIHsYP0BZACL6ehm|v9||0iFwA+EmHUg60yNrwGLKxDIM||76Jt9II1fBEyN|0VGM9KLy|9U+yRogCBMi+APhPVrdSBFqBAzwIvTvpEgSIl8JCCmIHB+gCBIi|APhEt1IP6mIFBIjVYIRI2|R0BIjYwkhRFI34vY6Hz9fiCNVtVI3iAQ4iHM8|DoZ37vIESLBo1XCEEgeqYgWMohiYQkgIcS7d7z8IsO2iBYiYyxJHERBzCRIOgx7yCL|ZwtMkyLXTpIg|f7bEiKIDBMiWTfJDhMi6QaMkyJ3VyEAYQk3IcRhpJ2jRGNR0swjCTw8|C|SYvU6On8BTCK3Zx4MkiNhHgyQYD|8yGNT2xEMBj+pAKD6QF184G8|ngyIVJleHVNi3eEJPQiMZQk+DUB|8JIO9hyOIP6f2x2M0SNSUD6AE+UQbgAmACmIEDKIs|4dBlEtjDAMUmN91QkbJEgSYPobLvoa4IwSIvOpiB4|0iF|3QSi1VC+UyOMBsxSI1MJEAf|9dIgcR0IWEkLQgALQE= MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 3560 cmdline: C:\Windows\system32\WerFault.exe -u -p 5152 -s 272 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.243662510.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000003.269724498.0000025AA3818000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Notteppad_SettupX32iX64.exe PID: 5280	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Notteppad_SettupX32iX64.exe PID: 5280	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: Notteppad_SettupX32iX64.exe PID: 5280	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rundll32.exe PID: 5152	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.Notteppad_SettupX32iX64.exe.2a20000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Rhadamanthys Stealer - Payload Download Request - Source IP: 192.168.2.3 - Destination IP: 164.90.172.224

Timestamp:	192.168.2.3164.90.172.22449698802043202 01/13/23-05:12:09.288311
SID:	2043202
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Rhadamanthys Stealer - Payload Response - Source IP: 164.90.172.224 - Destination IP: 192.168.2.3

Timestamp:	164.90.172.224192.168.2.380496982853001 01/13/23-05:12:09.323085
SID:	2853001
Source Port:	80
Destination Port:	49698
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Notteppad_SettupX32iX64.exe	ReversingLabs: Detection: 19%
Source: Notteppad_SettupX32iX64.exe	Virustotal: Detection: 21%			Perma Link

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007DF4B3C1C06C CryptUnprotectData,

1_2_00007DF4B3C1C06C

Source: Notteppad_SettupX32iX64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source:	Binary string: wkernel32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244881244.0000000002620000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244831412.0000000002504000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248576597.0000000002830000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.248145801.000000000250C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245563996.00000000025D0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245469036.000000000250D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245765521.0000000002501000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245844802.00000000025D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273050542.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244109715.0000000002507000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260362834.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.259962474.0000000002508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.280113547.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249955394.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245986343.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253433753.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.254291672.0000000002C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246070776.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245334588.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245378880.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263974980.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245915259.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255043550.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.289392390.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245765521.0000000002501000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245844802.00000000025D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.247163570.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.247436363.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: psapi.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253383026.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.284854081.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246070776.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251663261.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mpr.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255267191.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249955394.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245915259.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253433753.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.254291672.0000000002C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.250112415.000000000283E000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.250519069.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: rundll32.exe, 00000001.00000003.280972629.0000025AA3B65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.282135570.0000025AA3CFD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: rundll32.exe, 00000001.00000003.280859396.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248576597.0000000002830000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.248145801.000000000250C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245960559.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248888902.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.249465359.0000000002830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251663261.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263974980.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: rundll32.exe, 00000001.00000003.283179571.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdbUGP source: rundll32.exe, 00000001.00000003.280972629.0000025AA3B65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.282135570.0000025AA3CFD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246455497.00000000028AC000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.246110906.0000000002585000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263650614.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293014153.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253309097.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253224746.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdbUGP source: rundll32.exe, 00000001.00000003.283688801.0000025AA3B90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246455497.00000000028AC000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.246110906.0000000002585000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260362834.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.259962474.0000000002508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.280113547.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mpr.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255267191.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273050542.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244109715.0000000002507000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000001.00000003.269181411.0000025AA3900000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ole32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251971029.0000000002503000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.252817024.0000000002830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293112471.0000025AA3A1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbUGP source: rundll32.exe, 00000001.00000003.293051816.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: rundll32.exe, 00000001.00000003.293051816.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: rundll32.exe, 00000001.00000003.283688801.0000025AA3B90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wmswsock.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.264610622.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260789377.0000000002833000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.262323104.0000000002E00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251971029.0000000002503000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.252817024.0000000002830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293112471.0000025AA3A1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdbGCTL source: rundll32.exe, 00000001.00000003.280859396.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263476814

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Notteppad_SettupX32iX64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Notteppad_SettupX32iX64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Windows Analysis Report
Notteppad_SettupX32iX64.exe