Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Paypal Payment Authorization pdf.exe

Overview

General Information

Sample Name:Paypal Payment Authorization pdf.exe
Analysis ID:337761
MD5:43796c264cd5716211cca1333d02c545
SHA1:cd0af8e864d885c7495a0783a17daa185c7ac224
SHA256:1d7e3f93b597143dc7762692af6d463b43feac3372d01a1ced3e9e6741205533
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Errors
  • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Parent Proces Executions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Paypal Payment Authorization pdf.exe (PID: 4544 cmdline: 'C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe' MD5: 43796C264CD5716211CCA1333D02C545)
    • Paypal Payment Authorization pdf.exe (PID: 6136 cmdline: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe MD5: 43796C264CD5716211CCA1333D02C545)
      • schtasks.exe (PID: 2800 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • dhcpmon.exe (PID: 788 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 43796C264CD5716211CCA1333D02C545)
      • schtasks.exe (PID: 5496 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3184.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5912 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 43796C264CD5716211CCA1333D02C545)
    • dhcpmon.exe (PID: 4928 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 43796C264CD5716211CCA1333D02C545)
  • dhcpmon.exe (PID: 4352 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 43796C264CD5716211CCA1333D02C545)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.244.38.210"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x435bd:$a: NanoCore
      • 0x43616:$a: NanoCore
      • 0x43653:$a: NanoCore
      • 0x436cc:$a: NanoCore
      • 0x56d77:$a: NanoCore
      • 0x56d8c:$a: NanoCore
      • 0x56dc1:$a: NanoCore
      • 0x6fd4b:$a: NanoCore
      • 0x6fd60:$a: NanoCore
      • 0x6fd95:$a: NanoCore
      • 0x4361f:$b: ClientPlugin
      • 0x4365c:$b: ClientPlugin
      • 0x43f5a:$b: ClientPlugin
      • 0x43f67:$b: ClientPlugin
      • 0x56b33:$b: ClientPlugin
      • 0x56b4e:$b: ClientPlugin
      • 0x56b7e:$b: ClientPlugin
      • 0x56d95:$b: ClientPlugin
      • 0x56dca:$b: ClientPlugin
      • 0x6fb07:$b: ClientPlugin
      • 0x6fb22:$b: ClientPlugin
      Click to see the 50 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      12.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      12.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.dhcpmon.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        7.2.Paypal Payment Authorization pdf.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe, ProcessId: 6136, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe, ParentImage: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe, ParentProcessId: 6136, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp', ProcessId: 2800
        Sigma detected: Conhost Parent Proces ExecutionsShow sources
        Source: Process startedAuthor: omkar72: Data: Command: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, CommandLine: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, NewProcessName: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, OriginalFileName: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 4352, ProcessCommandLine: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, ProcessId: 788

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Paypal Payment Authorization pdf.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
        Found malware configurationShow sources
        Source: Paypal Payment Authorization pdf.exe.4348.7.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.244.38.210"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 52%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Paypal Payment Authorization pdf.exeReversingLabs: Detection: 52%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Paypal Payment Authorization pdf.exeJoe Sandbox ML: detected
        Source: 8.2.dhcpmon.exe.470000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 0.0.Paypal Payment Authorization pdf.exe.440000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 6.2.Paypal Payment Authorization pdf.exe.930000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.450000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 8.0.dhcpmon.exe.470000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 6.0.Paypal Payment Authorization pdf.exe.930000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 10.0.dhcpmon.exe.9d0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.2.dhcpmon.exe.450000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 9.0.dhcpmon.exe.450000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 9.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.Paypal Payment Authorization pdf.exe.630000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 7.0.Paypal Payment Authorization pdf.exe.630000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 10.2.dhcpmon.exe.9d0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 0.2.Paypal Payment Authorization pdf.exe.440000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 1.0.Paypal Payment Authorization pdf.exe.ab0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 12.2.dhcpmon.exe.450000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: Paypal Payment Authorization pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Paypal Payment Authorization pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229334209.0000000002831000.00000004.00000001.sdmp, Paypal Payment Authorization pdf.exe, 00000006.00000002.243331552.0000000002E71000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.248280032.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.267476892.0000000002D01000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 185.244.38.210
        Source: global trafficTCP traffic: 192.168.2.7:49721 -> 185.244.38.210:7008
        Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229112118.0000000000C4B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.264137814.0000000002988000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 6136, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: Paypal Payment Authorization pdf.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Paypal Payment Authorization pdf.exe
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E20A8
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E3239
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E2FE8
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E2FD8
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 7_2_028FE480
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 7_2_028FE471
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 7_2_028FBBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00E820A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00E83008
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00E83272
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04D84A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04D83E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04D84B08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_012820B3
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01283239
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01283248
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01282FE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01282FDB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0100E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0100E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0100BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04E54A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04E53E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04E54B08
        Source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229334209.0000000002831000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229112118.0000000000C4B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000006.00000002.243331552.0000000002E71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.264137814.0000000002988000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 6136, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Paypal Payment Authorization pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: Paypal Payment Authorization pdf.exe, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.Paypal Payment Authorization pdf.exe.440000.0.unpack, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.2.Paypal Payment Authorization pdf.exe.440000.0.unpack, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: dhcpmon.exe.1.dr, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.0.Paypal Payment Authorization pdf.exe.ab0000.0.unpack, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.2.Paypal Payment Authorization pdf.exe.930000.0.unpack, hpCGGsxnBfkpZyTC.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 9.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 9.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/12@0/2
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Paypal Payment Authorization pdf.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2776:120:WilError_01
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{003adc3a-22f1-4bc1-a79f-fc8c7d09606c}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_01
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2E95.tmpJump to behavior
        Source: Paypal Payment Authorization pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: Paypal Payment Authorization pdf.exeReversingLabs: Detection: 52%
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeFile read: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe 'C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3184.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe 'C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe' 0
        Source: unknownProcess created: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess created: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp'
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3184.tmp'
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess created: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: Paypal Payment Authorization pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Paypal Payment Authorization pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229334209.0000000002831000.00000004.00000001.sdmp, Paypal Payment Authorization pdf.exe, 00000006.00000002.243331552.0000000002E71000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.248280032.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.267476892.0000000002D01000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E621E push ds; iretd
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 7_2_028FD413 push 0000005Dh; retn 0004h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00E8621E push ds; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04D86E5D push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0128621E push ds; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0100C8D9 push edx; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04E56E5D push FFFFFF8Bh; iretd
        Source: initial sampleStatic PE information: section name: .text entropy: 7.99637698124
        Source: initial sampleStatic PE information: section name: .text entropy: 7.99637698124
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 9.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 9.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeFile opened: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWindow / User API: threadDelayed 6481
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWindow / User API: threadDelayed 2877
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWindow / User API: foregroundWindowGot 627
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWindow / User API: foregroundWindowGot 692
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe TID: 5444Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe TID: 4872Thread sleep time: -13835058055282155s >= -30000s
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe TID: 5916Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe TID: 4844Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1956Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5876Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5664Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5116Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeMemory written: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess created: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp'
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3184.tmp'
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeProcess created: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: Paypal Payment Authorization pdf.exe, 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection111Masquerading2Input Capture21Query Registry1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 337761 Sample: Paypal Payment Authorizatio... Startdate: 10/01/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for dropped file 2->56 58 14 other signatures 2->58 9 Paypal Payment Authorization  pdf.exe 3 2->9         started        12 dhcpmon.exe 3 2->12         started        15 Paypal Payment Authorization  pdf.exe 2 2->15         started        17 dhcpmon.exe 2 2->17         started        process3 file4 46 Paypal Payment Aut...zation  pdf.exe.log, ASCII 9->46 dropped 19 Paypal Payment Authorization  pdf.exe 1 16 9->19         started        62 Injects a PE file into a foreign processes 12->62 24 dhcpmon.exe 2 12->24         started        26 Paypal Payment Authorization  pdf.exe 2 15->26         started        signatures5 process6 dnsIp7 48 185.244.38.210, 49721, 49726, 49728 ASN-QUADRANET-GLOBALUS Netherlands 19->48 50 127.0.0.1 unknown unknown 19->50 38 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->40 dropped 42 C:\Users\user\AppData\Local\...\tmp2E95.tmp, XML 19->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->44 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->60 28 schtasks.exe 1 19->28         started        30 schtasks.exe 1 19->30         started        file8 signatures9 process10 process11 32 conhost.exe 28->32         started        34 conhost.exe 30->34         started        process12 36 dhcpmon.exe 2 32->36         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Paypal Payment Authorization pdf.exe52%ReversingLabsByteCode-MSIL.Trojan.Cryptos
        Paypal Payment Authorization pdf.exe100%AviraTR/Dropper.MSIL.Gen
        Paypal Payment Authorization pdf.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe52%ReversingLabsByteCode-MSIL.Trojan.Cryptos

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        8.2.dhcpmon.exe.470000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        0.0.Paypal Payment Authorization pdf.exe.440000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        6.2.Paypal Payment Authorization pdf.exe.930000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.450000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        8.0.dhcpmon.exe.470000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        6.0.Paypal Payment Authorization pdf.exe.930000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        10.0.dhcpmon.exe.9d0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.2.dhcpmon.exe.450000.1.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        9.0.dhcpmon.exe.450000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        9.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.2.Paypal Payment Authorization pdf.exe.630000.1.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        7.0.Paypal Payment Authorization pdf.exe.630000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        10.2.dhcpmon.exe.9d0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        0.2.Paypal Payment Authorization pdf.exe.440000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        1.0.Paypal Payment Authorization pdf.exe.ab0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
        12.2.dhcpmon.exe.450000.1.unpack100%AviraTR/Dropper.MSIL.GenDownload File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        185.244.38.210
        		unknownNetherlands
        		8100ASN-QUADRANET-GLOBALUStrue

        Private

        IP
        127.0.0.1

        General Information

        Joe Sandbox Version:31.0.0 Red Diamond
        Analysis ID:337761
        Start date:10.01.2021
        Start time:08:25:19
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 10m 15s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:Paypal Payment Authorization pdf.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:36
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@18/12@0/2
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 0.1% (good quality ratio 0.1%)
        • Quality average: 84.5%
        • Quality standard deviation: 15.5%
        HCA Information:
        • Successful, ratio: 93%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        Errors:
        • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

        Simulations

        Behavior and APIs

        TimeTypeDescription
        08:26:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe" s>$(Arg0)
        08:26:14API Interceptor1432x Sleep call for process: Paypal Payment Authorization pdf.exe modified
        08:26:14AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        08:26:16Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        185.244.38.210Scan_00059010189_ ref. 004118379411_ pdf.exeGet hashmaliciousBrowse
          Payment_Confirmation pdf.exeGet hashmaliciousBrowse

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            ASN-QUADRANET-GLOBALUSScan_00059010189_ ref. 004118379411_ pdf.exeGet hashmaliciousBrowse
            • 185.244.38.210
            nh8712Nx5J.xlsGet hashmaliciousBrowse
            • 185.174.102.105
            Payment_Confirmation pdf.exeGet hashmaliciousBrowse
            • 185.244.38.210
            npp.7.9.2.Installer (1).exeGet hashmaliciousBrowse
            • 192.169.6.95
            https://linkprotect.cudasvc.com/url?a=http%3a%2f%2ffindcloud.id%2fwp-includes%2f8JTmzq3FN6z3OBJBdBCfXrdcZl5H7ZxOaOZzfl2H%2f&c=E,1,2CiyC7FGbs3Pvr1yrAWkewOmRL-xyrP42HL37xX4omRyLZqRrqWOt_1RKb6pLtfzxs7zIBTrrVMEwQ8pOUIr2mFuNwrd9eHNrfkptUp83QPlV-CrGIoXMw,,&typo=1Get hashmaliciousBrowse
            • 173.254.250.226
            https://mrveggy.com/resgatecarrinho/jcWVa69vj8IDsQRCud8h6RNI9Mz17JqsPPJ0DFnlbXZGyMM2GcZ3/Get hashmaliciousBrowse
            • 173.254.250.226
            1I72L29IL3F.docGet hashmaliciousBrowse
            • 173.254.250.226
            https://x9sademwnet.gb.net/bnbgfvgrthbg456tr54g6trvecds/?tuk5sx4dsb3=7df34dj4csaGet hashmaliciousBrowse
            • 104.129.25.9
            xLH4kwOjXR.exeGet hashmaliciousBrowse
            • 104.223.94.66
            utox.exeGet hashmaliciousBrowse
            • 104.223.122.15
            QUOTES.exeGet hashmaliciousBrowse
            • 69.174.99.26
            file.exeGet hashmaliciousBrowse
            • 192.161.187.200
            http://jb092.com/rxlbakzd/goqmmbmi.html?kjmikw5x.3hllrGet hashmaliciousBrowse
            • 185.174.103.81
            https://www.trackins.org/sale/cat/sale-c199387IoAL&C_fTkoAvATBo-1LAvvTgoAKL6_.T5.html?_emr=12e4edca-8183-44e0-bccb-e3d6e0eeb447&wfcs=cs2&dcrectxid=d48055ba-93d6-4b3f-80c6-70de3252bde6&_eml=2ec38d65-f3da-4587-bd38-7c1f333c6dc8&source=batch&batchid=04&varid=5&csnid=1eab81b4-e54d-4cc2-8735-a5d571cfe688&brcid=13&sm=1&refid=MKTEML_31000&emlid=1131&maiid=1913Get hashmaliciousBrowse
            • 173.205.83.250
            Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
            • 192.161.187.200
            kWbmxCNnPIYLMvvPIVlMbDKbbQCNjT.exeGet hashmaliciousBrowse
            • 69.174.99.26
            Purchase Order.exeGet hashmaliciousBrowse
            • 104.129.26.162
            SecuriteInfo.com.Variant.Bulz.265335.2250.exeGet hashmaliciousBrowse
            • 66.63.162.20
            New order.xlsGet hashmaliciousBrowse
            • 66.63.162.20
            https://app.box.com/s/rdobxcyrhp1cdxwej3pfeyvngfh3lwagGet hashmaliciousBrowse
            • 173.254.237.250

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):352256
            Entropy (8bit):7.469885302599986
            Encrypted:false
            SSDEEP:6144:8iS9IvO+J0i2ttjKd4aOLlLFIbJU+M2ucUcjwxvHVZ0y1UCgVBL:8EvO+l2ttKdpYLFI3XucMx/f0ymCuB
            MD5:43796C264CD5716211CCA1333D02C545
            SHA1:CD0AF8E864D885C7495A0783A17DAA185C7AC224
            SHA-256:1D7E3F93B597143DC7762692AF6D463B43FEAC3372D01A1CED3E9E6741205533
            SHA-512:B1A795E53EF3F7905EAB4E19600C67ED78CC4EA7539A50C5733E2EF944A7F9C5353D5678D7D50236730E14B851E2B659FE356F3BCD36F041D0945EA83F5806C1
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 52%
            Reputation:low
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O._.................L..........>k... ........@.. ....................................@..................................j..S.................................................................................... ............... ..H............text...DK... ...L.................. ..`.rsrc................N..............@..@.reloc...............^..............@..B................ k......H........_...............!..,>...........................................0..C.......(....~....o....~....o....~....o..............~.......~......o....&*..(....*..0..?.......(.....s......(.....o....o.......o......o.....o........io......*..0..F............(....o.....o......-....'.o...............io....&.....,..o......*..........$:.......0..V.......(.........r...p(....r...p(.........r...p(....r+..p(.........r7..p(.........rD..p.....*.......,..b......-.W..w...R...v.~E..........
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview: [ZoneTransfer]....ZoneId=0
            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Paypal Payment Authorization pdf.exe.log
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):617
            Entropy (8bit):5.347480285514745
            Encrypted:false
            SSDEEP:12:Q3La/hhkvoDLI4MWuCt92n4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLUE4Ko84qpE4Ks2wKDE4KhK3VZ9pKhk
            MD5:9871A1CB00306B3628E0BDC28B4ABB86
            SHA1:248B2FE82417AC0DED1E38C43A1EED261DB6CEE1
            SHA-256:569E5D399E50DD6D74918557AAEEA3306EFD86EFAC5A62C9CB97C6DBEC396B92
            SHA-512:FB2FB7D2F9894AC760ACDD0F9757B7E458A7A64C34C651155EE21DC96AC835063F6E194A52E7DA293C336AB8765DA166A2926A14D173D013E3E7465A07656733
            Malicious:true
            Reputation:low
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):617
            Entropy (8bit):5.347480285514745
            Encrypted:false
            SSDEEP:12:Q3La/hhkvoDLI4MWuCt92n4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLUE4Ko84qpE4Ks2wKDE4KhK3VZ9pKhk
            MD5:9871A1CB00306B3628E0BDC28B4ABB86
            SHA1:248B2FE82417AC0DED1E38C43A1EED261DB6CEE1
            SHA-256:569E5D399E50DD6D74918557AAEEA3306EFD86EFAC5A62C9CB97C6DBEC396B92
            SHA-512:FB2FB7D2F9894AC760ACDD0F9757B7E458A7A64C34C651155EE21DC96AC835063F6E194A52E7DA293C336AB8765DA166A2926A14D173D013E3E7465A07656733
            Malicious:false
            Reputation:low
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
            C:\Users\user\AppData\Local\Temp\tmp2E95.tmp
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1327
            Entropy (8bit):5.091498852984887
            Encrypted:false
            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0gWxtn:cbk4oL600QydbQxIYODOLedq3PWj
            MD5:DA63AD4C680733ED83D564411CA76CAE
            SHA1:981FC459890E62849038DA2B99C711C00B7276B9
            SHA-256:31CB39FA68EB81E5B307A93444489CD4A509607DFA2131583C27DC96E976989B
            SHA-512:8A6D9270442D41A2C562F3C63B3F6451A440D94DDB3FEED72D154A6FBDEB89A7D0B59FB05F533D585A650AABBFFB9739AA4DAC8F5104A5483A8D05C73B31A035
            Malicious:true
            Reputation:low
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
            C:\Users\user\AppData\Local\Temp\tmp3184.tmp
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1310
            Entropy (8bit):5.109425792877704
            Encrypted:false
            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
            MD5:5C2F41CFC6F988C859DA7D727AC2B62A
            SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
            SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
            SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:data
            Category:dropped
            Size (bytes):1488
            Entropy (8bit):7.108278141116062
            Encrypted:false
            SSDEEP:24:SJezZmuTsu1NJezZmuTsu1NJezZmuTsu1NJezZmuTsu1NJezZmuTsu1NJezZmuTA:SUzDgcUzDgcUzDgcUzDgcUzDgcUzDgd
            MD5:8B16E30AF998D03A9F3E00B4F0ED3D0B
            SHA1:C47D03FF6B7782FF69EA32E11592D40A860274D4
            SHA-256:4B51060E7C80DEA28F677EAED229CF741BC63E030116D5248041C7194E9A82C8
            SHA-512:6D7D8E4867C40B3063A31D9D48FCD51893A9688BDC05729FAB903A306DBB4008F50DC58B60AD225666E261F9EA385E84B41D77E38FBFA7EE4E56B31E75C6D201
            Malicious:false
            Reputation:low
            Preview: >........]Z.S..._;yF..6..p..GK.>0hn....EY.+..U..y.Z..t.Z...k....s..\.'.i..pr....Y..Y..q......'..z..P.....:.....F[?..6My|...5.............".@..i,F.H....H.....|U.y.,...z...}...,:...C{v.Q.5.......&.:.Z.}.. ..3..T..........^3...f.1......7%.]..2_>........]Z.S..._;yF..6..p..GK.>0hn....EY.+..U..y.Z..t.Z...k....s..\.'.i..pr....Y..Y..q......'..z..P.....:.....F[?..6My|...5.............".@..i,F.H....H.....|U.y.,...z...}...,:...C{v.Q.5.......&.:.Z.}.. ..3..T..........^3...f.1......7%.]..2_>........]Z.S..._;yF..6..p..GK.>0hn....EY.+..U..y.Z..t.Z...k....s..\.'.i..pr....Y..Y..q......'..z..P.....:.....F[?..6My|...5.............".@..i,F.H....H.....|U.y.,...z...}...,:...C{v.Q.5.......&.:.Z.}.. ..3..T..........^3...f.1......7%.]..2_>........]Z.S..._;yF..6..p..GK.>0hn....EY.+..U..y.Z..t.Z...k....s..\.'.i..pr....Y..Y..q......'..z..P.....:.....F[?..6My|...5.............".@..i,F.H....H.....|U.y.,...z...}...,:...C{v.Q.5.......&.:.Z.}.. ..3..T..........^3...f.1......7%.]..2_>......
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:Non-ISO extended-ASCII text, with no line terminators
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:3:uUQ9t:uUw
            MD5:1A0A28EF8DFB3131E4982E486A21008D
            SHA1:CFC76B6C72CC2B669FFCCC2D0458D7DA4A86DF0D
            SHA-256:9ADB8FB914B62C711C899B1DAFEDE996F60E2831C4468EB083A05C9EAAE7C287
            SHA-512:ECECE4BB05C92B1710DD0AA6F3762F80805923536F4971F1A5F40F525F4A03F8DF127672081FC97DCB71095130E1B5D8D6BCCE1A0EECB1186B0C6BB8D0079245
            Malicious:true
            Preview: _ .q...H
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:data
            Category:dropped
            Size (bytes):24
            Entropy (8bit):4.584962500721156
            Encrypted:false
            SSDEEP:3:9bzY6oRDJoTBn:RzWDqTB
            MD5:3FCC766D28BFD974C68B38C27D0D7A9A
            SHA1:45ED19A78D9B79E46EDBFC3E3CA58E90423A676B
            SHA-256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
            SHA-512:C7D47BDAABEEBB8C9D9B31CC4CE968EAF291771762FA022A2F55F9BA4838E71FDBD3F83792709E47509C5D94629D6D274CC933371DC01560D13016D944012DA5
            Malicious:false
            Preview: 9iH...}Z.4..f.....l.d
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:data
            Category:modified
            Size (bytes):64
            Entropy (8bit):5.425704882778696
            Encrypted:false
            SSDEEP:3:9bzY6oRDJoTBPcgY6oRDMjmPl:RzWDqTdRWDMCd
            MD5:CA214D2E41394F5ADA74FA4F2EA15CB5
            SHA1:32E3F863838177349F2AF70CA1CE695B3C184166
            SHA-256:B6E370AF3F5C1001C79BC19706D1A5B1803C59BC45AEFAB4BD18FC67034F47A1
            SHA-512:E9C268BCDE8872F4DD2964ACA6F9C51834E42E2AF7FF2E1C327573CEDC98127B0EDBBF8E76E456FFF82A28FC46A210D91EEEA2242ECED5368D107436B3492C14
            Malicious:false
            Preview: 9iH...}Z.4..f.....l.d9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:data
            Category:dropped
            Size (bytes):327432
            Entropy (8bit):7.99938831605763
            Encrypted:true
            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
            Malicious:false
            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
            Process:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):64
            Entropy (8bit):4.540873781480404
            Encrypted:false
            SSDEEP:3:oN0naRR1EbFO5ruERXXJ:oNcSROhOFRXZ
            MD5:D6F6F97EB8A42120A5DF0383DBF051A0
            SHA1:4CD2851875E5F62990455C0AD9F55E41ABD77E31
            SHA-256:7F21E4C00136CAEA325254B47362330602F4CAEB7C080C35F4E065D72704705E
            SHA-512:1F44DB8EB78F81C8C69F35FD87B7AC27FE45231BC499368E74A040E2262DD3862853AC9B3CD1B45E1342A153E5AD8528CEB0B4A71A4B8230EA4C46772DD0CD96
            Malicious:false
            Preview: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.469885302599986
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:Paypal Payment Authorization pdf.exe
            File size:352256
            MD5:43796c264cd5716211cca1333d02c545
            SHA1:cd0af8e864d885c7495a0783a17daa185c7ac224
            SHA256:1d7e3f93b597143dc7762692af6d463b43feac3372d01a1ced3e9e6741205533
            SHA512:b1a795e53ef3f7905eab4e19600c67ed78cc4ea7539a50c5733e2ef944a7f9c5353d5678d7d50236730e14b851e2b659fe356f3bcd36f041d0945ea83f5806c1
            SSDEEP:6144:8iS9IvO+J0i2ttjKd4aOLlLFIbJU+M2ucUcjwxvHVZ0y1UCgVBL:8EvO+l2ttKdpYLFI3XucMx/f0ymCuB
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O._.................L..........>k... ........@.. ....................................@................................

            File Icon

            Icon Hash:8c125212d9cc348a

            Static PE Info

            General

            Entrypoint:0x446b3e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x5FFA4F12 [Sun Jan 10 00:49:22 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x46ae80x53.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x10e04.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x44b440x44c00False0.983686079545data7.99637698124IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0x480000x10e040x11000False0.0745346966912data2.5624642962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x5a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x481300x10828data
            RT_GROUP_ICON0x589580x14data
            RT_VERSION0x5896c0x2acdata
            RT_MANIFEST0x58c180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Version Infos

            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyright
            Assembly Version0.0.0.0
            InternalNamePaypal Payment Authorization pdf.exe
            FileVersion0.0.0.0
            ProductVersion0.0.0.0
            FileDescription
            OriginalFilenamePaypal Payment Authorization pdf.exe

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 10, 2021 08:26:15.299971104 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:15.478411913 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:15.478790998 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:15.544387102 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:15.735930920 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:15.745909929 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:15.923803091 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:15.924019098 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.152252913 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.155679941 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.379458904 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379514933 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379571915 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379610062 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379631042 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.379662037 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379666090 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.379703045 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379751921 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379787922 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379834890 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379873037 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.379945993 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.379960060 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.379964113 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.557372093 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557468891 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557512999 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557537079 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.557552099 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557604074 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557641983 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.557662010 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557713985 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557720900 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.557754040 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557800055 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557832003 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.557868004 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557909966 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.557921886 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.557971954 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558020115 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558020115 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.558079958 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558121920 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558139086 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.558175087 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558209896 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558223009 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.558260918 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558299065 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558320045 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.558370113 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.558428049 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.735799074 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735827923 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735840082 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735861063 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735877991 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735901117 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735899925 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.735917091 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735932112 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.735941887 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735949993 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.735969067 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.735990047 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736000061 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736016989 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736033916 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736052990 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736073017 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736084938 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736102104 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736108065 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736124992 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736148119 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736166000 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736177921 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736207962 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736226082 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736232996 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736252069 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736268997 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736273050 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736275911 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736282110 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736287117 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736301899 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736327887 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736345053 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736350060 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736370087 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736387014 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736394882 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736413956 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736422062 CET497217008192.168.2.7185.244.38.210
            Jan 10, 2021 08:26:16.736453056 CET700849721185.244.38.210192.168.2.7
            Jan 10, 2021 08:26:16.736471891 CET497217008192.168.2.7185.244.38.210

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: Paypal Payment Authorization pdf.exe PID: 4544 Parent PID: 5784

            General

            Start time:08:26:08
            Start date:10/01/2021
            Path:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe'
            Imagebase:0x440000
            File size:352256 bytes
            MD5 hash:43796C264CD5716211CCA1333D02C545
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: Paypal Payment Authorization pdf.exe PID: 6136 Parent PID: 4544

            General

            Start time:08:26:09
            Start date:10/01/2021
            Path:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            Imagebase:0xab0000
            File size:352256 bytes
            MD5 hash:43796C264CD5716211CCA1333D02C545
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: schtasks.exe PID: 2800 Parent PID: 6136

            General

            Start time:08:26:12
            Start date:10/01/2021
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp'
            Imagebase:0xd80000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: conhost.exe PID: 4352 Parent PID: 2800

            General

            Start time:08:26:13
            Start date:10/01/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff774ee0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: schtasks.exe PID: 5496 Parent PID: 6136

            General

            Start time:08:26:13
            Start date:10/01/2021
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3184.tmp'
            Imagebase:0xd80000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: conhost.exe PID: 2776 Parent PID: 5496

            General

            Start time:08:26:14
            Start date:10/01/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff774ee0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: Paypal Payment Authorization pdf.exe PID: 5444 Parent PID: 1104

            General

            Start time:08:26:14
            Start date:10/01/2021
            Path:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe' 0
            Imagebase:0x930000
            File size:352256 bytes
            MD5 hash:43796C264CD5716211CCA1333D02C545
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: Paypal Payment Authorization pdf.exe PID: 4348 Parent PID: 5444

            General

            Start time:08:26:15
            Start date:10/01/2021
            Path:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe
            Imagebase:0x7ff724940000
            File size:352256 bytes
            MD5 hash:43796C264CD5716211CCA1333D02C545
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.264137814.0000000002988000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: dhcpmon.exe PID: 5912 Parent PID: 1104

            General

            Start time:08:26:16
            Start date:10/01/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
            Imagebase:0x7ff6e70f0000
            File size:352256 bytes
            MD5 hash:43796C264CD5716211CCA1333D02C545
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 52%, ReversingLabs
            Reputation:low

            Analysis Process: dhcpmon.exe PID: 4928 Parent PID: 5912

            General

            Start time:08:26:17
            Start date:10/01/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Imagebase:0x450000
            File size:352256 bytes
            MD5 hash:43796C264CD5716211CCA1333D02C545
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: dhcpmon.exe PID: 4352 Parent PID: 3292

            General

            Start time:08:26:23
            Start date:10/01/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Imagebase:0x9d0000
            File size:352256 bytes
            MD5 hash:43796C264CD5716211CCA1333D02C545
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: dhcpmon.exe PID: 788 Parent PID: 4352

            General

            Start time:08:26:26
            Start date:10/01/2021
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Imagebase:0x450000
            File size:352256 bytes
            MD5 hash:43796C264CD5716211CCA1333D02C545
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >