Malware analysis NutstoreWindowsWPFInstaller.exe Malicious activity

Add for printing

File name:	NutstoreWindowsWPFInstaller.exe
Full analysis:	https://app.any.run/tasks/c7fa9ec0-ba86-436a-917c-e4026b5c61cd
Verdict:	Malicious activity
Analysis date:	May 02, 2024, 11:49:01
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	704147EDAE31E6199DFED680C4F5DF36
SHA1:	07EF72D4F5CEC6A7AE6DDA048262C7B1AB281B25
SHA256:	D80EEDAB2FE00A1B6A378E88985A93BA742B88EC18DA041308E0DFBB9BD86639
SSDEEP:	98304:0+6mNkUUX2dUoL5ZhbxaIytUhfICaQezhCR2hELS/2u2LwIBQIQoKRD:qs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 1080)
  - 7za.exe (PID: 2448)
- Creates a writable file in the system directory
  - MaintenanceService.exe (PID: 2736)
SUSPICIOUS
- Reads settings of System Certificates
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - NutstoreClient.exe (PID: 2916)
  - NutstoreClient.exe (PID: 2660)
- Reads the Internet Settings
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - Nutstore.exe (PID: 2872)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - NutstoreClient.exe (PID: 2916)
  - nutstore_watchdog.exe (PID: 1184)
  - Nutstore.exe (PID: 960)
  - nutstore_watchdog.exe (PID: 972)
  - NutstoreClient.exe (PID: 2660)
- Executable content was dropped or overwritten
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - rundll32.exe (PID: 2168)
  - rundll32.exe (PID: 2324)
  - 7za.exe (PID: 2448)
- Reads security settings of Internet Explorer
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - MSI32BA.tmp (PID: 1480)
  - RegisterExtensionDotNet40.exe (PID: 2376)
  - Nutstore.exe (PID: 2872)
  - NutstoreClient.exe (PID: 2916)
  - Nutstore.exe (PID: 960)
  - NutstoreClient.exe (PID: 2660)
- Checks Windows Trust Settings
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - msiexec.exe (PID: 1080)
  - MaintenanceService.exe (PID: 2736)
  - NutstoreClient.exe (PID: 2916)
  - NutstoreClient.exe (PID: 2660)
- Adds/modifies Windows certificates
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 1080)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
- Starts CMD.EXE for commands execution
  - msiexec.exe (PID: 2332)
  - cmd.exe (PID: 3012)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
- Executing commands from a ".bat" file
  - msiexec.exe (PID: 2332)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - cmd.exe (PID: 3012)
- Drops 7-zip archiver for unpacking
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 1080)
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
- Starts application with an unusual extension
  - cmd.exe (PID: 2528)
- The process creates files with name similar to system file names
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 1080)
- Process drops legitimate windows executable
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 1080)
  - 7za.exe (PID: 2448)
- Drops a system driver (possible attempt to evade defenses)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 1080)
- Creates/Modifies COM task schedule object
  - msiexec.exe (PID: 1080)
  - RegisterExtensionDotNet40.exe (PID: 2376)
- Uses RUNDLL32.EXE to load library
  - msiexec.exe (PID: 2332)
- Executes as Windows Service
  - NTFSWatcher.exe (PID: 1880)
  - MaintenanceService.exe (PID: 2736)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 3012)
- Application launched itself
  - cmd.exe (PID: 3012)
- The process drops C-runtime libraries
  - 7za.exe (PID: 2448)
INFO
- Checks supported languages
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - msiexec.exe (PID: 1080)
  - wmpnscfg.exe (PID: 372)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 2092)
  - msiexec.exe (PID: 2284)
  - chcp.com (PID: 2592)
  - msiexec.exe (PID: 2332)
  - MaintenanceService.exe (PID: 2640)
  - NTFSWatcher.exe (PID: 2560)
  - NTFSWatcher.exe (PID: 1880)
  - RegisterExtensionDotNet40.exe (PID: 2376)
  - MSI32BA.tmp (PID: 1480)
  - NsExtInstaller.exe (PID: 2420)
  - MSI3683.tmp (PID: 2776)
  - Nutstore.exe (PID: 2872)
  - NutstoreClient.exe (PID: 2916)
  - MaintenanceService.exe (PID: 2736)
  - Nutstore.RegistryModifier.exe (PID: 3624)
  - PostUpdater.exe (PID: 3392)
  - wmpnscfg.exe (PID: 2124)
  - wmpnscfg.exe (PID: 2172)
  - nutstore_watchdog.exe (PID: 1184)
  - 7za.exe (PID: 2448)
  - NutstoreClient.exe (PID: 2660)
  - Nutstore.exe (PID: 960)
  - nutstore_watchdog.exe (PID: 972)
- Reads the machine GUID from the registry
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 1080)
  - msiexec.exe (PID: 2092)
  - msiexec.exe (PID: 2284)
  - msiexec.exe (PID: 2332)
  - NsExtInstaller.exe (PID: 2420)
  - RegisterExtensionDotNet40.exe (PID: 2376)
  - MSI3683.tmp (PID: 2776)
  - NutstoreClient.exe (PID: 2916)
  - MaintenanceService.exe (PID: 2736)
  - PostUpdater.exe (PID: 3392)
  - Nutstore.RegistryModifier.exe (PID: 3624)
  - NutstoreClient.exe (PID: 2660)
- Reads the computer name
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - wmpnscfg.exe (PID: 372)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 2092)
  - msiexec.exe (PID: 2284)
  - msiexec.exe (PID: 1080)
  - msiexec.exe (PID: 2332)
  - MaintenanceService.exe (PID: 2640)
  - NTFSWatcher.exe (PID: 1880)
  - MSI32BA.tmp (PID: 1480)
  - NsExtInstaller.exe (PID: 2420)
  - RegisterExtensionDotNet40.exe (PID: 2376)
  - NTFSWatcher.exe (PID: 2560)
  - MSI3683.tmp (PID: 2776)
  - Nutstore.exe (PID: 2872)
  - NutstoreClient.exe (PID: 2916)
  - MaintenanceService.exe (PID: 2736)
  - PostUpdater.exe (PID: 3392)
  - Nutstore.RegistryModifier.exe (PID: 3624)
  - 7za.exe (PID: 2448)
  - wmpnscfg.exe (PID: 2124)
  - wmpnscfg.exe (PID: 2172)
  - Nutstore.exe (PID: 960)
  - NutstoreClient.exe (PID: 2660)
- Reads Environment values
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 2284)
  - msiexec.exe (PID: 2332)
  - NutstoreClient.exe (PID: 2916)
  - NutstoreClient.exe (PID: 2660)
- Reads the software policy settings
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 1080)
  - MaintenanceService.exe (PID: 2736)
  - NutstoreClient.exe (PID: 2916)
  - NutstoreClient.exe (PID: 2660)
- Create files in a temporary directory
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 2284)
  - msiexec.exe (PID: 2332)
  - msiexec.exe (PID: 1080)
  - NutstoreClient.exe (PID: 2916)
- Creates files or folders in the user directory
  - NutstoreWindowsWPFInstaller.exe (PID: 4072)
  - x4h1uin5.e0o_NsInstaller.exe (PID: 1856)
  - msiexec.exe (PID: 1080)
  - RegisterExtensionDotNet40.exe (PID: 2376)
  - NutstoreClient.exe (PID: 2916)
  - nutstore_watchdog.exe (PID: 1184)
  - 7za.exe (PID: 2448)
  - NutstoreClient.exe (PID: 2660)
- Manual execution by a user
  - wmpnscfg.exe (PID: 372)
  - Nutstore.exe (PID: 2872)
  - taskmgr.exe (PID: 1292)
  - wmpnscfg.exe (PID: 2124)
  - wmpnscfg.exe (PID: 2172)
- Application launched itself
  - msiexec.exe (PID: 1080)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 1080)
- Creates files in the program directory
  - MaintenanceService.exe (PID: 2640)
  - NTFSWatcher.exe (PID: 1880)
  - NsExtInstaller.exe (PID: 2420)
  - NTFSWatcher.exe (PID: 2560)
  - RegisterExtensionDotNet40.exe (PID: 2376)
  - PostUpdater.exe (PID: 3392)
  - Nutstore.RegistryModifier.exe (PID: 3624)
  - MaintenanceService.exe (PID: 2736)
  - NutstoreClient.exe (PID: 2916)
- Drops the executable file immediately after the start
  - rundll32.exe (PID: 2168)
  - rundll32.exe (PID: 2324)
- Reads security settings of Internet Explorer
  - rundll32.exe (PID: 2168)
  - rundll32.exe (PID: 2324)
- Starts application with an unusual extension
  - msiexec.exe (PID: 1080)
- Creates a software uninstall entry
  - msiexec.exe (PID: 1080)
- Checks proxy server information
  - nutstore_watchdog.exe (PID: 1184)
  - nutstore_watchdog.exe (PID: 972)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:04:09 03:29:59+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	2757632
InitializedDataSize:	73216
UninitializedDataSize:	-
EntryPoint:	0x2a324e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.1.10.0
ProductVersionNumber:	1.1.10.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Shanghai Yicun Network Ltd.
FileDescription:	Nutstore.Online.Installer
FileVersion:	1.1.10.0
InternalName:	NutstoreWindowsWPFInstaller.exe
LegalCopyright:	Copyright © 2023
LegalTrademarks:	-
OriginalFileName:	NutstoreWindowsWPFInstaller.exe
ProductName:	Nutstore.Online.Installer
ProductVersion:	1.1.10.0
AssemblyVersion:	1.1.10.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

372

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

960

"C:\Program Files\Nutstore\Nutstore.exe" --nutstore-url "nutstore://jianguoyun/awake"

C:\Program Files\Nutstore\Nutstore.exe

—

NutstoreWindowsWPFInstaller.exe

User:

admin

Company:

Shanghai Yicun Network Ltd.

Integrity Level:

HIGH

Description:

Nutstore Launcher

Exit code:

Version:

7.1.6.0

Modules

Images
c:\program files\nutstore\nutstore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

972

"C:\Program Files\Nutstore\bin-7.1.6\nutstore_watchdog.exe"

C:\Program Files\Nutstore\bin-7.1.6\nutstore_watchdog.exe

—

NutstoreClient.exe

User:

admin

Company:

Shanghai Yicun Network Ltd.

Integrity Level:

HIGH

Description:

Nutstore Watchdog

Exit code:

Version:

0.1.2

Modules

Images
c:\program files\nutstore\bin-7.1.6\nutstore_watchdog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll

1080

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1184

"C:\Program Files\Nutstore\bin-7.1.6\nutstore_watchdog.exe"

C:\Program Files\Nutstore\bin-7.1.6\nutstore_watchdog.exe

—

NutstoreClient.exe

User:

admin

Company:

Shanghai Yicun Network Ltd.

Integrity Level:

MEDIUM

Description:

Nutstore Watchdog

Exit code:

Version:

0.1.2

Modules

Images
c:\program files\nutstore\bin-7.1.6\nutstore_watchdog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll

1292

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\taskmgr.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Task Manager

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1332

/C "C:\Users\admin\AppData\Local\Temp\{7C8EF937-CAA0-40FD-9A3D-08E2A333599A}.bat"

C:\Windows\System32\cmd.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1480

"C:\Windows\Installer\MSI32BA.tmp" /RunAsAdmin /HideWindow "C:\Program Files\Nutstore\bin-7.1.6\NsExtInstaller.exe" install "C:\Program Files\Nutstore\bin-7.1.6\"

C:\Windows\Installer\MSI32BA.tmp

msiexec.exe

User:

admin

Company:

Caphyon LTD

Integrity Level:

HIGH

Description:

File that launches another file

Exit code:

Version:

16.6.1.0

Modules

Images
c:\windows\installer\msi32ba.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

1856

"C:\Users\admin\AppData\Local\Temp\x4h1uin5.e0o_NsInstaller.exe" /qn /Le "C:\Users\admin\AppData\Roaming\NutstoreInstaller\Logs\install_error.log"

C:\Users\admin\AppData\Local\Temp\x4h1uin5.e0o_NsInstaller.exe

NutstoreWindowsWPFInstaller.exe

User:

admin

Company:

上海亦存网络科技有限公司

Integrity Level:

HIGH

Description:

坚果云 Installer

Exit code:

Version:

7.1.6

Modules

Images
c:\users\admin\appdata\local\temp\x4h1uin5.e0o_nsinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

1880

C:\ProgramData\Nutstore\service\NTFSWatcher.exe

—

services.exe

User:

SYSTEM

Company:

Shanghai Yicun Network Ltd.

Integrity Level:

SYSTEM

Description:

Nutstore NTFS Event Watcher

Version:

7.1.6.0

Modules

Images
c:\programdata\nutstore\service\ntfswatcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

Add for printing

Total events

42 450

Read events

41 602

Write events

794

Delete events

Modification events


(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:	write	Name:	Name
Value: NutstoreWindowsWPFInstaller.exe
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4072) NutstoreWindowsWPFInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NutstoreWindowsWPFInstaller_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:

Add for printing

Executable files

483

Suspicious files

Text files

179

Unknown types

Dropped files

PID	Process	Filename		Type
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Roaming\NutstoreClient\install\holder0.aiph		—
		MD5:—	SHA256:—
4072	NutstoreWindowsWPFInstaller.exe	C:\Users\admin\AppData\Local\Temp\x4h1uin5.e0o_NsInstaller.exe		executable
		MD5:B94341B44E860C829ECEAEF3C5D6EE04	SHA256:3C955AE595173BCD603CE3727570A8854B1776FC5158C4AA74CF0752D9598631
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Local\Temp\~DFFD702A50AA83593F.TMP		binary
		MD5:B901E482AA56AE8775FEF283B2143CA9	SHA256:10B944BA485CD984B120EE143089A83A754E810467262F1D18337C64FA61A913
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Local\Temp\AIEFC34.tmp		executable
		MD5:EF8BE1E2F281BC0ADDEA842FA14B01A5	SHA256:2AA1A32586CEC476EE408BB7A2C5CF5DF849F708CEE9E34DCE15B6282F3BB0BF
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Roaming\NutstoreClient\install\A17CEC4\Nutstore.x64.msi		executable
		MD5:D5F05967912DF2952CC05BFD69DA9C82	SHA256:CCFB69435304B6E5155BFEFFC062B88C0A38BBF5A196B9442EA884663C5A475B
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Local\Temp\MSIFEE5.tmp		executable
		MD5:46563628970B87C0AE9710D8DA84EE1E	SHA256:B2572663CC77A33E8B59DB4C62973242682B8DDBADA4BDC281FAD5C74E17862D
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_1856\installer_banner.jpg		image
		MD5:40773FA301D1376E4394A53B4CF7D13D	SHA256:F35BE490DBE0F422516114E2006DDD43CBF8F23CF8B2C9C25135E06B876DDCE1
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_1856\NutstoreCustomAction.CA.dll		executable
		MD5:F7358891278A99C0765E8E5524FA5BEF	SHA256:A3D17F2B66C76DE817EE69F35C2BF5EF053A9C43BDC210E57949ED8329E0E680
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Roaming\NutstoreClient\install\decoder.dll		executable
		MD5:840BC325982BB8F88F09F672CC6CACA2	SHA256:8401C8B1D587896BD21D37BDE8B7134FBA8C7C849B7DB2257E7426203AFAB815
1856	x4h1uin5.e0o_NsInstaller.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_1856\installer_dialog.jpg		image
		MD5:191F756AA1691D8526021B24BE0824F0	SHA256:77164BC2BE4FA1F2FCFB7BAD72FF06AE33FF138CD683AC52F7D021FC2DFD6D46

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4072	NutstoreWindowsWPFInstaller.exe	POST	200	123.6.29.78:80	http://mcs.snssdk.com/v2/event/json	unknown	—	—	unknown
2736	MaintenanceService.exe	GET	304	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?266b8e5a2148a701	unknown	—	—	unknown
2736	MaintenanceService.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D	unknown	—	—	unknown
2736	MaintenanceService.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D	unknown	—	—	unknown
2736	MaintenanceService.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEFDXTFemNkZRCk1uCmpORAo%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
4072	NutstoreWindowsWPFInstaller.exe	43.152.26.154:443	pkg-cdn.jianguoyun.com	ACE	DE	unknown
4072	NutstoreWindowsWPFInstaller.exe	112.90.95.56:80	mcs.snssdk.com	China Unicom Guangdong IP network	CN	unknown
4072	NutstoreWindowsWPFInstaller.exe	123.6.29.78:80	mcs.snssdk.com	CHINA UNICOM China169 Backbone	CN	unknown
2736	MaintenanceService.exe	199.232.210.172:80	ctldl.windowsupdate.com	FASTLY	US	unknown
2736	MaintenanceService.exe	172.64.149.23:80	ocsp.comodoca.com	CLOUDFLARENET	US	unknown
4072	NutstoreWindowsWPFInstaller.exe	221.194.141.157:80	mcs.snssdk.com	CHINA UNICOM China169 Backbone	CN	unknown

DNS requests

Domain	IP	Reputation
pkg-cdn.jianguoyun.com	43.152.26.154 43.152.26.142 43.152.26.104 43.152.26.58 43.152.26.197 43.152.26.221 43.152.26.151	unknown
mcs.snssdk.com	112.90.95.56 123.6.29.78 112.90.95.61 123.6.29.82 221.194.141.151 221.194.141.157	unknown
ctldl.windowsupdate.com	199.232.210.172 199.232.214.172	whitelisted
ocsp.comodoca.com	172.64.149.23 104.18.38.233	whitelisted
ocsp.sectigo.com	172.64.149.23 104.18.38.233	whitelisted
dns.msftncsi.com	131.107.255.255	shared

Threats

No threats detected

Add for printing

Process	Message
x4h1uin5.e0o_NsInstaller.exe	[AVX_CRT_Fix][C:\Users\admin\AppData\Local\Temp\x4h1uin5.e0o_NsInstaller.exe] CPU: __isa_available = 5
x4h1uin5.e0o_NsInstaller.exe	[AVX_CRT_Fix][\\?\C:\Users\admin\AppData\Roaming\NutstoreClient\install\decoder.dll] CPU: __isa_available = 5
x4h1uin5.e0o_NsInstaller.exe	[AVX_CRT_Fix][\\?\C:\Users\admin\AppData\Roaming\NutstoreClient\install\decoder.dll] CPU: __isa_available = 5
msiexec.exe	[AVX_CRT_Fix][C:\Users\admin\AppData\Local\Temp\MSIFEE5.tmp] CPU: __isa_available = 5
msiexec.exe	[AVX_CRT_Fix][C:\Users\admin\AppData\Local\Temp\MSIFF53.tmp] CPU: __isa_available = 5
msiexec.exe	[AVX_CRT_Fix][C:\Windows\Installer\MSI210.tmp] CPU: __isa_available = 5
msiexec.exe	[AVX_CRT_Fix][C:\Windows\Installer\MSI25F.tmp] CPU: __isa_available = 5
msiexec.exe	[AVX_CRT_Fix][C:\Windows\Installer\MSI280.tmp] CPU: __isa_available = 5
msiexec.exe	[AVX_CRT_Fix][C:\Windows\Installer\MSI2A0.tmp] CPU: __isa_available = 5
msiexec.exe	[AVX_CRT_Fix][C:\Windows\Installer\MSI2C0.tmp] CPU: __isa_available = 5

General Info

NutstoreWindowsWPFInstaller.exe

704147EDAE31E6199DFED680C4F5DF36

07EF72D4F5CEC6A7AE6DDA048262C7B1AB281B25

D80EEDAB2FE00A1B6A378E88985A93BA742B88EC18DA041308E0DFBB9BD86639

98304:0+6mNkUUX2dUoL5ZhbxaIytUhfICaQezhCR2hELS/2u2LwIBQIQoKRD:qs

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

SUSPICIOUS

Reads settings of System Certificates

Reads the Internet Settings

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Adds/modifies Windows certificates

Reads the Windows owner or organization settings

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Drops 7-zip archiver for unpacking

Starts application with an unusual extension

The process creates files with name similar to system file names

Process drops legitimate windows executable

Drops a system driver (possible attempt to evade defenses)

Creates/Modifies COM task schedule object

Uses RUNDLL32.EXE to load library

Executes as Windows Service

Uses ATTRIB.EXE to modify file attributes

Application launched itself

The process drops C-runtime libraries

INFO

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Reads Environment values

Reads the software policy settings

Create files in a temporary directory

Creates files or folders in the user directory

Manual execution by a user

Application launched itself

Executable content was dropped or overwritten

Creates files in the program directory

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Starts application with an unusual extension

Creates a software uninstall entry

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information