33.0.0 White Diamond
IR
452385
CloudBasic
09:32:06
22/07/2021
Paidcheck.pdf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
ce32e8605adb6c9bb2dcee69fe887b46
2ace1fb1e3523768003b61a4a79193214ffafed9
7e22f7f21e8798805234be7ac26bad65c1edecb55b051343e0933a68041ce073
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
false
6FD7592411112729BF6B1F2F6C34899F
5E5C839726D6A43C478AB0B95DBF52136679F5EA
FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Paidcheck.pdf.exe.log
true
3197B1D4714B56F2A6AC9E83761739AE
3B38010F0DF51C1D4D2C020138202DABB686741D
40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
true
84CFDB4B995B1DBF543B26B86C863ADC
D2F47764908BF30036CF8248B9FF5541E2711FA2
D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
false
84CFDB4B995B1DBF543B26B86C863ADC
D2F47764908BF30036CF8248B9FF5541E2711FA2
D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
8D5E194411E038C060288366D6766D3D
DC1A8229ED0B909042065EA69253E86E86D71C88
44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
479FD065539F6CB9A9073194EE43BA62
A42CBC7BA81ABA1675795855760D409D15B519A0
CD0AC9E26FBF8ED83477179601F435FF3AB5C7E265A3267F2BD55F9A564558D6
C:\Users\user\AppData\Local\Temp\RegAsm.exe
true
6FD7592411112729BF6B1F2F6C34899F
5E5C839726D6A43C478AB0B95DBF52136679F5EA
FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs
true
8F1279E3972239624A9E5037A4261E8A
D45F5CD9A81863BF6B486F77FCB0A1497DD46446
C07EF3D32222554903427589627F33C222F6D507D1F161A5FCD11EBF29BFA6CC
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qglplkd.nbo.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ai3xzej.ihr.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp
true
E1762CDA6D6A3715B829E81B77FF06F7
B9F6318A5E4CDB1462E45A0B08EE46D303C40715
48A86564D25864484ABE34BAA5B71890B8AF30ADE8AC1CF14BBACAE28036F09F
C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
32D0AAE13696FF7F8AF33B2D22451028
EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
31760B024C72A6DB96428A87598EDAD6
26D9DC8EE0FEF7C95EDF8865F54A2477F5B2830D
A41605947ADFFD965CFD275409AFE1E71BD692055EB86F3E60F3090D35389FA8
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
false
ACD3FB4310417DC77FE06F15B0E353E6
80E7002E655EB5765FDEB21114295CB96AD9D5EB
DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
BB0F9B9992809E733EFFF8B0E562CFD6
F0BAB3CF73A04F5A689E6AFC764FEE9276992742
C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
7E8F4A764B981D5B82D1CC49D341E9C6
D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
C9298EEE68389B937EFD1A5CE3DB10A2
2D299BA869C5386FB114AA6016DCB0607DFE98E0
270C3AC669C532CE18737BFD72CB2981B65A6F08FF2B7EB5C9A4D8834AEB4E62
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe
true
CE32E8605ADB6C9BB2DCEE69FE887B46
2ACE1FB1E3523768003B61A4A79193214FFAFED9
7E22F7F21E8798805234BE7AC26BAD65C1EDECB55B051343E0933A68041CE073
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210722\PowerShell_transcript.302494.fAvH+AQY.20210722093349.txt
false
AB8875BD5B3058B8423A6B26F392B5E7
9E45AFB3F5211658D59AC397698D841617DC7CF0
49EDD3825A4186C0CB39926746C6392AF5D1D3905346C6D212A4E877AFFDC259
\Device\ConDrv
false
970EE6AEAB63008333D1D883327DA660
A71E19F66886B1888A183BA1777A23FABAE9822E
D270D397EB3CF1173D25795834B240466EFEE213E11B1B31CDC101015AFFCAD9
217.138.212.57
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT