Loading ...

Play interactive tourEdit tour

Analysis Report fakture.exe

Overview

General Information

Sample Name:fakture.exe
Analysis ID:288467
MD5:1d792f6fadba6f9d85b885f13f6d1c2b
SHA1:f0d6c72a9fc08c428e8eed05efe74036b5ffab5b
SHA256:f6267255856ec240e497ae7143cd91332025dbb2cdd503531de543a3b1ff3512

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • fakture.exe (PID: 6832 cmdline: 'C:\Users\user\Desktop\fakture.exe' MD5: 1D792F6FADBA6F9D85B885F13F6D1C2B)
    • powershell.exe (PID: 6876 cmdline: 'powershell' Get-MpPreference -verbose MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7076 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableArchiveScanning $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6180 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 344 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5444 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisablePrivacyMode $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4856 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4576 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -HighThreatDefaultAction 6 -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6476 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -LowThreatDefaultAction 6 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6528 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5396 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ModerateThreatDefaultAction 6 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6756 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SevereThreatDefaultAction 6 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5308 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3152 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6896 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jntBJQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4294.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • fakture.exe (PID: 3548 cmdline: C:\Users\user\Desktop\fakture.exe MD5: 1D792F6FADBA6F9D85B885F13F6D1C2B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.71", "127.0.0.1:4455"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x622b5:$x1: NanoCore.ClientPluginHost
  • 0x622f2:$x2: IClientNetworkHost
  • 0x65e25:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x6201d:$a: NanoCore
    • 0x6202d:$a: NanoCore
    • 0x62261:$a: NanoCore
    • 0x62275:$a: NanoCore
    • 0x622b5:$a: NanoCore
    • 0x6207c:$b: ClientPlugin
    • 0x6227e:$b: ClientPlugin
    • 0x622be:$b: ClientPlugin
    • 0x621a3:$c: ProjectData
    • 0x62baa:$d: DESCrypto
    • 0x6a576:$e: KeepAlive
    • 0x68564:$g: LogClientMessage
    • 0x6475f:$i: get_Connected
    • 0x62ee0:$j: #=q
    • 0x62f10:$j: #=q
    • 0x62f2c:$j: #=q
    • 0x62f5c:$j: #=q
    • 0x62f78:$j: #=q
    • 0x62f94:$j: #=q
    • 0x62fc4:$j: #=q
    • 0x62fe0:$j: #=q
    0000001F.00000002.497779478.0000000005AA0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    0000001F.00000002.497779478.0000000005AA0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 15 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    31.2.fakture.exe.5aa0000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    31.2.fakture.exe.5aa0000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    31.2.fakture.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    31.2.fakture.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    31.2.fakture.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\fakture.exe, ProcessId: 3548, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jntBJQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4294.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jntBJQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4294.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\fakture.exe' , ParentImage: C:\Users\user\Desktop\fakture.exe, ParentProcessId: 6832, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jntBJQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4294.tmp', ProcessId: 6896

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: fakture.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/AD.Nanocore.pudeg
      Source: C:\Users\user\AppData\Roaming\jntBJQ.exeAvira: detection malicious, Label: TR/AD.Nanocore.pudeg
      Found malware configurationShow sources
      Source: fakture.exe.3548.31.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.71", "127.0.0.1:4455"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.475386554.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.275622070.000000000403E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.496316853.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.493900249.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.497969613.0000000005CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 31.2.fakture.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.fakture.exe.5ce0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.fakture.exe.5ce0000.5.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\jntBJQ.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: fakture.exeJoe Sandbox ML: detected
      Source: 31.2.fakture.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\Desktop\fakture.exeCode function: 4x nop then jmp 076F6DE2h0_2_076F6324
      Source: global trafficTCP traffic: 192.168.2.4:49720 -> 79.134.225.71:4455
      Source: Joe Sandbox ViewIP Address: 79.134.225.71 79.134.225.71
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownDNS traffic detected: queries for: cmb234.myq-see.com
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: fakture.exe, 00000000.00000002.274319937.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: fakture.exe, 00000000.00000002.282527726.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: fakture.exe, 00000000.00000002.273728731.0000000001200000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: fakture.exe, 0000001F.00000002.496316853.0000000003A19000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.475386554.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.275622070.000000000403E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.496316853.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.493900249.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.497969613.0000000005CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 31.2.fakture.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.fakture.exe.5ce0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.fakture.exe.5ce0000.5.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.497779478.0000000005AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.475386554.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.475386554.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.275622070.000000000403E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.275622070.000000000403E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.496316853.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.497969613.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.fakture.exe.5aa0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.fakture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.fakture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 31.2.fakture.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.fakture.exe.5ce0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_015195080_2_01519508
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_0151C1A80_2_0151C1A8
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_0151A7B80_2_0151A7B8
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_076ED3080_2_076ED308
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_076EC9480_2_076EC948
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_076E5E500_2_076E5E50
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_076F36BD0_2_076F36BD
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_076F00400_2_076F0040
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_076F30180_2_076F3018
      Source: C:\Users\user\Desktop\fakture.exeCode function: 0_2_076F83A70_2_076F83A7
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_029DE48031_2_029DE480
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_029DE47131_2_029DE471
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_029DBBD431_2_029DBBD4
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_0503F5F831_2_0503F5F8
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_0503978831_2_05039788
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_0503A5D031_2_0503A5D0
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_0503A5E431_2_0503A5E4
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_0622004031_2_06220040
      Source: fakture.exeBinary or memory string: OriginalFilename vs fakture.exe
      Source: fakture.exe, 00000000.00000002.287249683.00000000081D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs fakture.exe
      Source: fakture.exe, 00000000.00000002.287249683.00000000081D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs fakture.exe
      Source: fakture.exe, 00000000.00000002.273728731.0000000001200000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs fakture.exe
      Source: fakture.exe, 00000000.00000002.286811167.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs fakture.exe
      Source: fakture.exe, 00000000.00000002.274319937.0000000002F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs fakture.exe
      Source: fakture.exe, 00000000.00000002.287325603.0000000008247000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSU8O.exe. vs fakture.exe
      Source: fakture.exe, 00000000.00000002.286304131.00000000075D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs fakture.exe
      Source: fakture.exe, 00000000.00000002.287062072.00000000080E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs fakture.exe
      Source: fakture.exeBinary or memory string: OriginalFilename vs fakture.exe
      Source: fakture.exe, 0000001F.00000002.497843779.0000000005BF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs fakture.exe
      Source: fakture.exe, 0000001F.00000002.497779478.0000000005AA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs fakture.exe
      Source: fakture.exe, 0000001F.00000000.253735838.0000000000657000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSU8O.exe. vs fakture.exe
      Source: fakture.exe, 0000001F.00000002.496316853.0000000003A19000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs fakture.exe
      Source: fakture.exe, 0000001F.00000002.496316853.0000000003A19000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs fakture.exe
      Source: fakture.exe, 0000001F.00000002.498726222.0000000006A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs fakture.exe
      Source: fakture.exeBinary or memory string: OriginalFilenameSU8O.exe. vs fakture.exe
      Source: 00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.274572779.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.497779478.0000000005AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.497779478.0000000005AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001F.00000002.475386554.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.475386554.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.275622070.000000000403E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.275622070.000000000403E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.496316853.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.497969613.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.497969613.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.fakture.exe.5aa0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.fakture.exe.5aa0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.fakture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.fakture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.fakture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 31.2.fakture.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.fakture.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.fakture.exe.5ce0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.fakture.exe.5ce0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: fakture.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: jntBJQ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: fakture.exe, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: jntBJQ.exe.0.dr, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.2.fakture.exe.9d0000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.0.fakture.exe.9d0000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@45/64@9/3
      Source: C:\Users\user\Desktop\fakture.exeFile created: C:\Program Files (x86)\DHCP Monitor
      Source: C:\Users\user\Desktop\fakture.exeFile created: C:\Users\user\AppData\Roaming\jntBJQ.exeJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{95c2d3f9-c05f-4563-bfea-346737ff576e}
      Source: C:\Users\user\Desktop\fakture.exeMutant created: \Sessions\1\BaseNamedObjects\WsIzskGFtiDUGYnEdqi
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:360:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_01
      Source: C:\Users\user\Desktop\fakture.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4294.tmpJump to behavior
      Source: fakture.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\fakture.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\fakture.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\fakture.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeFile read: C:\Users\user\Desktop\fakture.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\fakture.exe 'C:\Users\user\Desktop\fakture.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Get-MpPreference -verbose
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableArchiveScanning $true
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisablePrivacyMode $true
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -HighThreatDefaultAction 6 -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -LowThreatDefaultAction 6
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ModerateThreatDefaultAction 6
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SevereThreatDefaultAction 6
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jntBJQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4294.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\fakture.exe C:\Users\user\Desktop\fakture.exe
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Get-MpPreference -verboseJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableArchiveScanning $trueJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $trueJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $trueJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisablePrivacyMode $trueJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $trueJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -HighThreatDefaultAction 6 -ForceJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -LowThreatDefaultAction 6Jump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0Jump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ModerateThreatDefaultAction 6Jump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SevereThreatDefaultAction 6Jump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $trueJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jntBJQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4294.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess created: C:\Users\user\Desktop\fakture.exe C:\Users\user\Desktop\fakture.exeJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\fakture.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: fakture.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: fakture.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: fakture.exeStatic file information: File size 1548800 > 1048576
      Source: fakture.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x179600
      Source: fakture.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: fakture.exe, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: jntBJQ.exe.0.dr, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.fakture.exe.9d0000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.fakture.exe.9d0000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\fakture.exeCode function: 31_2_050369F8 pushad ; retf 31_2_050369F9
      Source: initial sampleStatic PE information: section name: .text entropy: 7.19809333854
      Source: initial sampleStatic PE information: section name: .text entropy: 7.19809333854
      Source: C:\Users\user\Desktop\fakture.exeFile created: C:\Users\user\AppData\Roaming\jntBJQ.exeJump to dropped file
      Source: C:\Users\user\Desktop\fakture.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jntBJQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4294.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\fakture.exeFile opened: C:\Users\user\Desktop\fakture.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fakture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe