Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report NEW ORDER_8876630.exe

Overview

General Information

Sample Name:NEW ORDER_8876630.exe
Analysis ID:320333
MD5:1745bf7233bdb5b42fba4517363b258f
SHA1:826f6dcbbe56fa62b3894f52c5ab18fd009930e2
SHA256:33d2ce58e713daa6aeae2d712dfbdac9e7f431df73c969f0c70afa75b56f1ab9
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore AveMaria MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected AveMaria stealer
Yara detected MailPassView
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NEW ORDER_8876630.exe (PID: 6164 cmdline: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6444 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NEW ORDER_8876630.exe (PID: 5852 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
      • schtasks.exe (PID: 6624 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6156 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vbc.exe (PID: 5876 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h' MD5: B3A917344F5610BEEC562556F11300FA)
      • vbc.exe (PID: 5796 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh' MD5: B3A917344F5610BEEC562556F11300FA)
      • vbc.exe (PID: 5776 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh' MD5: B3A917344F5610BEEC562556F11300FA)
  • NEW ORDER_8876630.exe (PID: 6852 cmdline: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0 MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6672 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1745BF7233BDB5B42FBA4517363B258F)
  • dhcpmon.exe (PID: 4088 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6916 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6508 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • dhcpmon.exe (PID: 4928 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x561e7:$a: NanoCore
    • 0x562d1:$a: NanoCore
    • 0x57148:$a: NanoCore
    • 0x602f2:$a: NanoCore
    • 0x60353:$a: NanoCore
    • 0x60396:$a: NanoCore
    • 0x603d6:$a: NanoCore
    • 0x60612:$a: NanoCore
    • 0x606b2:$a: NanoCore
    • 0x60e8a:$a: NanoCore
    • 0x6147d:$a: NanoCore
    • 0x615ce:$a: NanoCore
    • 0x62428:$a: NanoCore
    • 0x6268f:$a: NanoCore
    • 0x626a4:$a: NanoCore
    • 0x626c3:$a: NanoCore
    • 0x6b5c6:$a: NanoCore
    • 0x6b5ef:$a: NanoCore
    • 0x77368:$a: NanoCore
    • 0x77391:$a: NanoCore
    • 0x9c254:$a: NanoCore
    00000009.00000002.924508392.0000000007CDF000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 99 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x5b99:$x1: NanoCore.ClientPluginHost
          • 0x5bb3:$x2: IClientNetworkHost
          9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x5b99:$x2: NanoCore.ClientPluginHost
          • 0x6bce:$s4: PipeCreated
          • 0x5b86:$s5: IClientLoggingHost
          9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1f1db:$x1: NanoCore.ClientPluginHost
          • 0x1f1f5:$x2: IClientNetworkHost
          9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x1f1db:$x2: NanoCore.ClientPluginHost
          • 0x22518:$s4: PipeCreated
          • 0x1f1c8:$s5: IClientLoggingHost
          9.2.NEW ORDER_8876630.exe.6100000.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1deb:$x1: NanoCore.ClientPluginHost
          • 0x1e24:$x2: IClientNetworkHost
          Click to see the 63 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW ORDER_8876630.exe, ProcessId: 5852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' , ParentImage: C:\Users\user\Desktop\NEW ORDER_8876630.exe, ParentProcessId: 6164, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', ProcessId: 6444

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeReversingLabs: Detection: 41%
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeReversingLabs: Detection: 41%
          Multi AV Scanner detection for submitted fileShow sources
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%Perma Link
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%Perma Link
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: NEW ORDER_8876630.exeJoe Sandbox ML: detected
          Source: NEW ORDER_8876630.exeJoe Sandbox ML: detected
          Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: global trafficTCP traffic: 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: global trafficTCP traffic: 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NEW ORDER_8876630.exe, NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.670733862.0000000002721000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5e
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?oci
          Source: vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.865177744.0000000000994000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, btuqens4.sdh.36.dr, 3agbefca.z1h.34.drString found in binary or memory: http://www.nirsoft.net/
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/staticY
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/LMEMx
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=F
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=we
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NEW ORDER_8876630.exe, NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.670733862.0000000002721000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5e
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?oci
          Source: vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.865177744.0000000000994000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, btuqens4.sdh.36.dr, 3agbefca.z1h.34.drString found in binary or memory: http://www.nirsoft.net/
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/staticY
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/LMEMx
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=F
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=we
          Source: dhcpmon.exe, 0000000F.00000002.693277110.0000000000E88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: dhcpmon.exe, 0000000F.00000002.693277110.0000000000E88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: NEW ORDER_8876630.exe
          Source: initial sampleStatic PE information: Filename: NEW ORDER_8876630.exe
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00234E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFC124
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFE561
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFE570
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00234E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFC124
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFE561
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFE570
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 7_2_003C4E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_008E4E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_06522238
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_06523730
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_065146D3
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_065142EB
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_06513324
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_011CE471
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_011CE480
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_011CBBD4
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_00C24E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_014FC124
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_014FE562
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_014FE570
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_006E4E95
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00E7C124
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00E7E562
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00E7E570
          Source: NEW ORDER_8876630.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: sTIihDLgsDxOeq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NEW ORDER_8876630.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: sTIihDLgsDxOeq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NEW ORDER_8876630.exe, 00000000.00000002.669871538.00000000002A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.672364153.0000000003948000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679046010.0000000009480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679406024.0000000009570000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679406024.0000000009570000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000007.00000002.668026345.0000000000436000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exeBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709414711.0000000007320000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000000.681598052.0000000000C96000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709634185.00000000075D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709634185.00000000075D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709295285.0000000007190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.710228104.00000000093B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000013.00000000.695212366.00000000002A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.713524450.0000000000E76000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exeBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.669871538.00000000002A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.672364153.0000000003948000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679046010.0000000009480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679406024.0000000009570000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679406024.0000000009570000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000007.00000002.668026345.0000000000436000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exeBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709414711.0000000007320000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000000.681598052.0000000000C96000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709634185.00000000075D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709634185.00000000075D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709295285.0000000007190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.710228104.00000000093B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000013.00000000.695212366.00000000002A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.713524450.0000000000E76000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exeBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: NEW ORDER_8876630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: sTIihDLgsDxOeq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NEW ORDER_8876630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: sTIihDLgsDxOeq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@34/17@0/1
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\DtwUqciGKiRjooXSHiqUg
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1a99772f-8635-4efa-9ce3-0da1f36f00d5}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\DtwUqciGKiRjooXSHiqUg
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1a99772f-8635-4efa-9ce3-0da1f36f00d5}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBCE5.tmpJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBCE5.tmpJump to behavior
          Source: NEW ORDER_8876630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NEW ORDER_8876630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem information queried: HandleInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem information queried: HandleInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile read: C:\Users\user\Desktop\NEW ORDER_8876630.exeJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile read: C:\Users\user\Desktop\NEW ORDER_8876630.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe 'C:\Users\user\Desktop\NEW ORDER_8876630.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe 'C:\Users\user\Desktop\NEW ORDER_8876630.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: NEW ORDER_8876630.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: NEW ORDER_8876630.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: NEW ORDER_8876630.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: NEW ORDER_8876630.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NEW ORDER_8876630.exe
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NEW ORDER_8876630.exe
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_002360D2 push es; retf
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFDEEF push cs; retn 0004h
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFDF02 push cs; retn 0004h
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_002360D2 push es; retf
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFDEEF push cs; retn 0004h
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFDF02 push cs; retn 0004h
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 7_2_003C60D2 push es; retf
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_008E60D2 push es; retf
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_00C260D2 push es; retf
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_014FB5D0 pushad ; retf
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_006E60D2 push es; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJump to dropped file
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJump to dropped file
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.670812071.00000000027A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699403409.0000000003042000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671609130.0000000002AD9000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.694294173.0000000002DD9000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671609130.0000000002AD9000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.694294173.0000000002DD9000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671609130.0000000002AD9000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.694294173.0000000002DD9000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671609130.0000000002AD9000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.694294173.0000000002DD9000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00235C2B sldt word ptr [eax]
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00235C2B sldt word ptr [eax]
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: threadDelayed 5509
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: threadDelayed 4153
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: foregroundWindowGot 571
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: foregroundWindowGot 704
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: threadDelayed 5509
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: threadDelayed 4153
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: foregroundWindowGot 571
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: foregroundWindowGot 704
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 2016Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6224Thread sleep time: -41500s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 1808Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 1548Thread sleep time: -12912720851596678s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6908Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6920Thread sleep time: -41500s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6896Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6912Thread sleep time: -41500s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7100Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 4044Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4344Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1620Thread sleep time: -41500s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4972Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 2016Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6224Thread sleep time: -41500s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 1808Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 1548Thread sleep time: -12912720851596678s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6908Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6920Thread sleep time: -41500s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6896Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6912Thread sleep time: -41500s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7100Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 4044Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4344Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1620Thread sleep time: -41500s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4972Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: dhcpmon.exe, 00000015.00000002.730097018.00000000029B9000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.698765888.000000000130E000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: dhcpmon.exe, 00000015.00000002.730097018.00000000029B9000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: NEW ORDER_8876630.exe, 00000009.00000003.858898194.0000000001048000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: dhcpmon.exe, 00000015.00000002.730097018.00000000029B9000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.698765888.000000000130E000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: dhcpmon.exe, 00000015.00000002.730097018.00000000029B9000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: NEW ORDER_8876630.exe, 00000009.00000003.858898194.0000000001048000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: NEW ORDER_8876630.exe, 00000009.00000002.918787904.000000000317C000.00000004.00000001.sdmpBinary or memory string: Program Manager4w"
          Source: NEW ORDER_8876630.exe, 00000009.00000002.918734102.000000000316A000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: NEW ORDER_8876630.exe, 00000009.00000002.924138899.00000000072FE000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.922655257.00000000060FB000.00000004.00000001.sdmpBinary or memory string: Program ManagerT^
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: NEW ORDER_8876630.exe, 00000009.00000002.923034146.00000000064FA000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpBinary or memory string: Program Manager@
          Source: NEW ORDER_8876630.exe, 00000009.00000002.923953764.0000000006E7E000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$Tk9
          Source: NEW ORDER_8876630.exe, 00000009.00000002.918787904.000000000317C000.00000004.00000001.sdmpBinary or memory string: Program Manager4w"
          Source: NEW ORDER_8876630.exe, 00000009.00000002.918734102.000000000316A000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: NEW ORDER_8876630.exe, 00000009.00000002.924138899.00000000072FE000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.922655257.00000000060FB000.00000004.00000001.sdmpBinary or memory string: Program ManagerT^
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: NEW ORDER_8876630.exe, 00000009.00000002.923034146.00000000064FA000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpBinary or memory string: Program Manager@
          Source: NEW ORDER_8876630.exe, 00000009.00000002.923953764.0000000006E7E000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$Tk9
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected MailPassViewShow sources
          Source: Yara matchFile source: 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.924228437.000000000734F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.924432961.0000000007C61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5876, type: MEMORY
          Source: Yara matchFile source: 34.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 34.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Tries to steal Instant Messenger accounts or passwordsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.924508392.0000000007CDF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5776, type: MEMORY
          Source: Yara matchFile source: 36.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 36.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection12Masquerading2OS Credential Dumping1Security Software Discovery221Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion4Input Capture21Virtualization/Sandbox Evasion4Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Process Discovery3SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12Credentials In Files1Application Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 320333 Sample: NEW ORDER_8876630.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 15 other signatures 2->76 8 NEW ORDER_8876630.exe 6 2->8         started        11 NEW ORDER_8876630.exe 4 2->11         started        13 dhcpmon.exe 2->13         started        15 dhcpmon.exe 3 2->15         started        process3 file4 62 C:\Users\user\AppData\...\sTIihDLgsDxOeq.exe, PE32 8->62 dropped 64 C:\Users\user\AppData\Local\...\tmpBCE5.tmp, XML 8->64 dropped 66 C:\Users\user\...66EW ORDER_8876630.exe.log, ASCII 8->66 dropped 17 NEW ORDER_8876630.exe 1 15 8->17         started        21 schtasks.exe 1 8->21         started        23 NEW ORDER_8876630.exe 8->23         started        25 schtasks.exe 11->25         started        27 NEW ORDER_8876630.exe 11->27         started        29 NEW ORDER_8876630.exe 11->29         started        31 schtasks.exe 13->31         started        33 dhcpmon.exe 13->33         started        35 dhcpmon.exe 13->35         started        process5 dnsIp6 68 79.134.225.9, 4321, 49729 FINK-TELECOM-SERVICESCH Switzerland 17->68 56 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->56 dropped 58 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->58 dropped 60 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 17->60 dropped 37 vbc.exe 17->37         started        40 vbc.exe 17->40         started        42 schtasks.exe 1 17->42         started        50 2 other processes 17->50 44 conhost.exe 21->44         started        46 conhost.exe 25->46         started        48 conhost.exe 31->48         started        file7 process8 signatures9 78 Tries to steal Instant Messenger accounts or passwords 37->78 80 Tries to steal Mail credentials (via file access) 37->80 82 Tries to harvest and steal browser information (history, passwords, etc) 40->82 52 conhost.exe 42->52         started        54 conhost.exe 50->54         started        process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NEW ORDER_8876630.exe49%VirustotalBrowse
          NEW ORDER_8876630.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe49%VirustotalBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe42%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exe49%VirustotalBrowse
          C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exe42%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          28.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.2.NEW ORDER_8876630.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          20.2.NEW ORDER_8876630.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                  		high
                  http://www.msn.com/?ocid=iehpLMEMvbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                        		high
                        http://www.tiro.comdhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersdhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmlNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                		high
                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.msn.com/de-ch/?ocivbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
                                      		high
                                      http://www.fonts.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.nirsoft.net/vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.865177744.0000000000994000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, btuqens4.sdh.36.dr, 3agbefca.z1h.34.drfalse
                                          		high
                                          http://www.zhongyicts.com.cnNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNEW ORDER_8876630.exe, 00000000.00000002.670733862.0000000002721000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sakkal.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            79.134.225.9
                                            		unknownSwitzerland
                                            		6775FINK-TELECOM-SERVICESCHtrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:320333
                                            Start date:19.11.2020
                                            Start time:09:20:03
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 13m 21s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:NEW ORDER_8876630.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:37
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.phis.troj.spyw.evad.winEXE@34/17@0/1
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 0.4% (good quality ratio 0.3%)
                                            • Quality average: 66.7%
                                            • Quality standard deviation: 37.1%
                                            HCA Information:
                                            • Successful, ratio: 92%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • TCP Packets have been reduced to 100
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            09:20:57API Interceptor65x Sleep call for process: NEW ORDER_8876630.exe modified
                                            09:21:05Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\NEW ORDER_8876630.exe" s>$(Arg0)
                                            09:21:06Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                            09:21:07AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            09:21:10API Interceptor53x Sleep call for process: dhcpmon.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            79.134.225.9yrIVz5su2U.exeGet hashmaliciousBrowse
                                              DHL 2723382830#U6536#U636e,pdf.exeGet hashmaliciousBrowse
                                                Huidmwk.exeGet hashmaliciousBrowse
                                                  Huidmwk.exeGet hashmaliciousBrowse

                                                    Domains

                                                    No context

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    FINK-TELECOM-SERVICESCH9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                    • 79.134.225.40
                                                    7tRM7RUC.exeGet hashmaliciousBrowse
                                                    • 79.134.225.99
                                                    PURCHASE_ORDER.exeGet hashmaliciousBrowse
                                                    • 79.134.225.87
                                                    YW2l1lBx5p2U84V.exeGet hashmaliciousBrowse
                                                    • 79.134.225.54
                                                    ORDER #201006.exeGet hashmaliciousBrowse
                                                    • 79.134.225.92
                                                    2HchQQHbc3.exeGet hashmaliciousBrowse
                                                    • 79.134.225.40
                                                    https://uc13b1859d0dd1d287abe11849bc.dl.dropboxusercontent.com/cd/0/get/BDYpKT2DghcT8k6q6ivr3Z10tH2fIzZ-quVnhNkvIaMzr65_x9Jb73dlKfp9-u2XxKjvY5mHqB-sTtfsf3X_DzOrS8DLCyWkeoM0ivsy2MmAb_UnT8m5tcbdlCmtPw__0Gg/file?dl=1Get hashmaliciousBrowse
                                                    • 79.134.225.8
                                                    JfBrVoAbZJ.exeGet hashmaliciousBrowse
                                                    • 79.134.225.12
                                                    hLP6IkkrSG.exeGet hashmaliciousBrowse
                                                    • 79.134.225.45
                                                    Payment Confirmation NOV-85869983TGTTAS.exeGet hashmaliciousBrowse
                                                    • 79.134.225.14
                                                    P9hBKKQw3T.exeGet hashmaliciousBrowse
                                                    • 79.134.225.110
                                                    uqR1VNxNJn.exeGet hashmaliciousBrowse
                                                    • 79.134.225.52
                                                    ORDER-#00654.doc.....exeGet hashmaliciousBrowse
                                                    • 79.134.225.92
                                                    7GAi7ZFQz8.exeGet hashmaliciousBrowse
                                                    • 79.134.225.92
                                                    KL0DeoXZFx.dllGet hashmaliciousBrowse
                                                    • 79.134.225.55
                                                    nbMZ4y9Dj5.exeGet hashmaliciousBrowse
                                                    • 79.134.225.40
                                                    IRS-TAXPAYERS RELIEF.exeGet hashmaliciousBrowse
                                                    • 79.134.225.28
                                                    FREAKHIVE MANUAL.exeGet hashmaliciousBrowse
                                                    • 79.134.225.104
                                                    544545.exeGet hashmaliciousBrowse
                                                    • 79.134.225.104
                                                    gtrd.exeGet hashmaliciousBrowse
                                                    • 79.134.225.104

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):487936
                                                    Entropy (8bit):7.729635851000467
                                                    Encrypted:false
                                                    SSDEEP:6144:sirOTLIHLIQXLdOgffsHGOu7O77ci7rFlfx++Y+Am1DOdvRdBHMlU8LFCcN:ETL4IoJ38H27O97/fxY9Jt8LFj
                                                    MD5:1745BF7233BDB5B42FBA4517363B258F
                                                    SHA1:826F6DCBBE56FA62B3894F52C5AB18FD009930E2
                                                    SHA-256:33D2CE58E713DAA6AEAE2D712DFBDAC9E7F431DF73C969F0C70AFA75B56F1AB9
                                                    SHA-512:D787F9ADE504D281689A66A3C160A2B99CDC3B429F02C78385732AD5F987EFC33C80B3EFE1B5B97085CA3F1F116BCF82B6AB1DEDC05DB05C9FDBBD8866CC644B
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 49%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j._..............0..,...D......&K... ...`....@.. ....................................@..................................J..O....`...A........................................................................... ............... ..H............text...,+... ...,.................. ..`.rsrc....A...`...B..................@..@.reloc...............p..............@..B.................K......H........Y...C......o.......0...........................................B.(........}....*....0..!.........{....r...p.|....(....(.....+..*....0..<.............6...%..*.o.......o.......+.......o........X.........-....o...........,..r...p(....&...8..........(....}.......&.r?..p(....&.............(....}.......&.ro..p(....&...........}.....{....r...p(........,..r...p(....&...+X....}.....{....r...p(........,..r...p(....&...+(......(....}.......&.r...p(....&......+...*.(....b..t..
                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER_8876630.exe.log
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1301
                                                    Entropy (8bit):5.345637324625647
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
                                                    MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
                                                    SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
                                                    SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
                                                    SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
                                                    Malicious:true
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1301
                                                    Entropy (8bit):5.345637324625647
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
                                                    MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
                                                    SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
                                                    SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
                                                    SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
                                                    Malicious:false
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Temp\3agbefca.z1h
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    File Type:HTML document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):523
                                                    Entropy (8bit):5.166440724009737
                                                    Encrypted:false
                                                    SSDEEP:12:BMQkS9xyR4VrR1LEIJ9yuNJmcfNXbYmvmAwYxZwgJwnbnyAwoE:WlS9v5N9ZmcfSYm0XwgynbnyF
                                                    MD5:69B2A2E17E78D24ABEE9F1DE2F04811A
                                                    SHA1:D19C109704E83876AB3527457F9418A7D053AA33
                                                    SHA-256:1B1491F21E64681F8FDC27B2265E2274FB7813EECB6AD8B446D2E431F6300EDD
                                                    SHA-512:EB7269979BC4187520636FE3D7B3089F2C7C02E81C4CE2A738ADE680F72C61C67FE9577EEAA09D3CA93F34B60BE8C434D2CFBFED6566E783F6611279F056150F
                                                    Malicious:false
                                                    Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">..<html><head><title>Email Accounts List</title></head>..<body>.. <h3>Email Accounts List</h3>..<br><h4>Created by using <a href="http://www.nirsoft.net/" target="newwin">Mail PassView</a></h4><p><table border="1" cellpadding="5"><tr bgcolor="E0E0E0">..<th>Name..<th>Application..<th>Email..<th>Server..<th>Server Port..<th>Secured..<th>Type..<th>User..<th>Password..<th>Profile..<th>Password Strength..<th>SMTP Server..<th>SMTP Server Port..</table>....</body></html>
                                                    C:\Users\user\AppData\Local\Temp\btuqens4.sdh
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    File Type:HTML document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):926
                                                    Entropy (8bit):3.5897431793749606
                                                    Encrypted:false
                                                    SSDEEP:24:QAl45i94TBYTCvq4A3Y7eOhv8UFaoQBIn4+pS:a5icwVTOhnFaoQ+n4+4
                                                    MD5:919E671C3D5959A91EF2D4C377D2B2FF
                                                    SHA1:B1202B19512BBD390D3D5164792501C87BB42C41
                                                    SHA-256:D2E079DF7CF6388315368BA79BF099AD2FF5428AF51BF5ABF2D99A2D7C5EB651
                                                    SHA-512:F3298256372BEAB8EFE81B2E08D3B3869281F625DE1EE13189C6B95EB2134D223DF6F64CC9E490DD6B52A53AA936ADC17BD5DFE4E50EE0FE420F3EBAE276381C
                                                    Malicious:false
                                                    Preview: ..<.!.D.O.C.T.Y.P.E. .H.T.M.L. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .H.T.M.L. .3...2. .F.i.n.a.l././.E.N.".>.....<.h.t.m.l.>.<.h.e.a.d.>.<.t.i.t.l.e.>.W.e.b. .B.r.o.w.s.e.r. .P.a.s.s.w.o.r.d.s.<./.t.i.t.l.e.>.<./.h.e.a.d.>.....<.b.o.d.y.>..... .<.h.3.>.W.e.b. .B.r.o.w.s.e.r. .P.a.s.s.w.o.r.d.s.<./.h.3.>.....<.b.r.>.<.h.4.>.C.r.e.a.t.e.d. .b.y. .u.s.i.n.g. .<.a. .h.r.e.f.=.".h.t.t.p.:././.w.w.w...n.i.r.s.o.f.t...n.e.t./.". .t.a.r.g.e.t.=.".n.e.w.w.i.n.".>.W.e.b.B.r.o.w.s.e.r.P.a.s.s.V.i.e.w.<./.a.>.<./.h.4.>.<.p.>.<.t.a.b.l.e. .b.o.r.d.e.r.=.".1.". .c.e.l.l.p.a.d.d.i.n.g.=.".5.".>.<.t.r. .b.g.c.o.l.o.r.=.".E.0.E.0.E.0.".>.....<.t.h.>.U.R.L.....<.t.h.>.W.e.b. .B.r.o.w.s.e.r.....<.t.h.>.U.s.e.r. .N.a.m.e.....<.t.h.>.P.a.s.s.w.o.r.d.....<.t.h.>.P.a.s.s.w.o.r.d. .S.t.r.e.n.g.t.h.....<.t.h.>.U.s.e.r. .N.a.m.e. .F.i.e.l.d.....<.t.h.>.P.a.s.s.w.o.r.d. .F.i.e.l.d.....<./.t.a.b.l.e.>.........<./.b.o.d.y.>.<./.h.t.m.l.>.
                                                    C:\Users\user\AppData\Local\Temp\tmp11AC.tmp
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1647
                                                    Entropy (8bit):5.17953057668383
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGotn:cbhK79lNQR/rydbz9I3YODOLNdq3d
                                                    MD5:605F7E07FF8FA3CC8A082BC33F645C62
                                                    SHA1:FD4CCF90636B71A77E5DF5B84BE8A86CF9A9E728
                                                    SHA-256:DF7BAD86F81276B8CC5A4ED68C5352FA4319303953AAB4CF8AC29B55E5EC52CE
                                                    SHA-512:FD3FC1D8112C3588B141C75170F023DADE256768F024FCD56AC1C06A12D3FF8C2921A302390D5185E81E4D3EE4F10F5BB97729F8DBAC8403DCDBBA218060EE20
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1647
                                                    Entropy (8bit):5.17953057668383
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGotn:cbhK79lNQR/rydbz9I3YODOLNdq3d
                                                    MD5:605F7E07FF8FA3CC8A082BC33F645C62
                                                    SHA1:FD4CCF90636B71A77E5DF5B84BE8A86CF9A9E728
                                                    SHA-256:DF7BAD86F81276B8CC5A4ED68C5352FA4319303953AAB4CF8AC29B55E5EC52CE
                                                    SHA-512:FD3FC1D8112C3588B141C75170F023DADE256768F024FCD56AC1C06A12D3FF8C2921A302390D5185E81E4D3EE4F10F5BB97729F8DBAC8403DCDBBA218060EE20
                                                    Malicious:true
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Local\Temp\tmpD09C.tmp
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1307
                                                    Entropy (8bit):5.136554816166762
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yqxtn:cbk4oL600QydbQxIYODOLedq3Oj
                                                    MD5:DC8F7205DF5B6966603257D088246BFF
                                                    SHA1:86387DC4A771D6608164787033EF2E626F0A80A0
                                                    SHA-256:326F10B4DA063CD4C6A6B953EFABDFC4CE63F605B96DC3B1AAC7DF3BE467492F
                                                    SHA-512:1EEA785908317987359038A226C548BA3DC6925C3BFFD9E83AD9CC82794D6A3AE0E653BEEB9AB2A668D1F088DD330CA9EC9C8F758C7340044D8EF2AFA3011DC9
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                    C:\Users\user\AppData\Local\Temp\tmpD35C.tmp
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1310
                                                    Entropy (8bit):5.109425792877704
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                    MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                    SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                    SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                    SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                    C:\Users\user\AppData\Local\Temp\tmpEF30.tmp
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1647
                                                    Entropy (8bit):5.17953057668383
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGotn:cbhK79lNQR/rydbz9I3YODOLNdq3d
                                                    MD5:605F7E07FF8FA3CC8A082BC33F645C62
                                                    SHA1:FD4CCF90636B71A77E5DF5B84BE8A86CF9A9E728
                                                    SHA-256:DF7BAD86F81276B8CC5A4ED68C5352FA4319303953AAB4CF8AC29B55E5EC52CE
                                                    SHA-512:FD3FC1D8112C3588B141C75170F023DADE256768F024FCD56AC1C06A12D3FF8C2921A302390D5185E81E4D3EE4F10F5BB97729F8DBAC8403DCDBBA218060EE20
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):232
                                                    Entropy (8bit):7.024371743172393
                                                    Encrypted:false
                                                    SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                    MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                    SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                    SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                    SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                    Malicious:false
                                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:Non-ISO extended-ASCII text, with CR line terminators
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:AH:AH
                                                    MD5:DF0AF2A58ACFB586F3EB1F4752CDD35C
                                                    SHA1:A6AEA5722491C8AB0A221BBF53DBA9622055309C
                                                    SHA-256:1C97C8725B4FA0052000FD20D30894F5945F2BE879CDDDC6CFDA789BAFAB0855
                                                    SHA-512:10BEECBAF1C1F827DB0A2B014299D71EF09F32B434634F48750561AC7193973037FF8D53D7E338ED21DC18E3A2ECA7BD94FD04DF8CC7907E035ABC708DF412C4
                                                    Malicious:true
                                                    Preview: WT..d..H
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):40
                                                    Entropy (8bit):5.153055907333276
                                                    Encrypted:false
                                                    SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                    MD5:4E5E92E2369688041CC82EF9650EDED2
                                                    SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                    SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                    SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                    Malicious:false
                                                    Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):327432
                                                    Entropy (8bit):7.99938831605763
                                                    Encrypted:true
                                                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                    Malicious:false
                                                    Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):44
                                                    Entropy (8bit):4.559212516945552
                                                    Encrypted:false
                                                    SSDEEP:3:oNt+WfWryp6fPA:oNwvmUfPA
                                                    MD5:1E848A7D7A8CD3DF5CD19585CDD7F7C3
                                                    SHA1:66CB715806767DB8905571F18955A3B596F9B3C0
                                                    SHA-256:C2276128170167404E72C69F31F3FB3CA930D9E96026CFC18A2517EA584B562F
                                                    SHA-512:3571F16BD442A7EAE1F7751A5FCCE32DD4097171BE8D07492D2011927EBDC674D1C676862CFDDA838A3C756A8D2E6871CCDF35EB939D846F7745F409C799283A
                                                    Malicious:false
                                                    Preview: C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exe
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):487936
                                                    Entropy (8bit):7.729635851000467
                                                    Encrypted:false
                                                    SSDEEP:6144:sirOTLIHLIQXLdOgffsHGOu7O77ci7rFlfx++Y+Am1DOdvRdBHMlU8LFCcN:ETL4IoJ38H27O97/fxY9Jt8LFj
                                                    MD5:1745BF7233BDB5B42FBA4517363B258F
                                                    SHA1:826F6DCBBE56FA62B3894F52C5AB18FD009930E2
                                                    SHA-256:33D2CE58E713DAA6AEAE2D712DFBDAC9E7F431DF73C969F0C70AFA75B56F1AB9
                                                    SHA-512:D787F9ADE504D281689A66A3C160A2B99CDC3B429F02C78385732AD5F987EFC33C80B3EFE1B5B97085CA3F1F116BCF82B6AB1DEDC05DB05C9FDBBD8866CC644B
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 49%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j._..............0..,...D......&K... ...`....@.. ....................................@..................................J..O....`...A........................................................................... ............... ..H............text...,+... ...,.................. ..`.rsrc....A...`...B..................@..@.reloc...............p..............@..B.................K......H........Y...C......o.......0...........................................B.(........}....*....0..!.........{....r...p.|....(....(.....+..*....0..<.............6...%..*.o.......o.......+.......o........X.........-....o...........,..r...p(....&...8..........(....}.......&.r?..p(....&.............(....}.......&.ro..p(....&...........}.....{....r...p(........,..r...p(....&...+X....}.....{....r...p(........,..r...p(....&...+(......(....}.......&.r...p(....&......+...*.(....b..t..

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.729635851000467
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:NEW ORDER_8876630.exe
                                                    File size:487936
                                                    MD5:1745bf7233bdb5b42fba4517363b258f
                                                    SHA1:826f6dcbbe56fa62b3894f52c5ab18fd009930e2
                                                    SHA256:33d2ce58e713daa6aeae2d712dfbdac9e7f431df73c969f0c70afa75b56f1ab9
                                                    SHA512:d787f9ade504d281689a66a3c160a2b99cdc3b429f02c78385732ad5f987efc33c80b3efe1b5b97085ca3f1f116bcf82b6ab1dedc05db05c9fdbbd8866cc644b
                                                    SSDEEP:6144:sirOTLIHLIQXLdOgffsHGOu7O77ci7rFlfx++Y+Am1DOdvRdBHMlU8LFCcN:ETL4IoJ38H27O97/fxY9Jt8LFj
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j._..............0..,...D......&K... ...`....@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:0dd21272d9ccc439

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x474b26
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x5FB56AD3 [Wed Nov 18 18:41:23 2020 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74ad40x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x41c0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x72b2c0x72c00False0.860081358932data7.75604514901IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x760000x41c00x4200False0.31220407197data4.22937385179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x7c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0x761900x468GLS_BINARY_LSB_FIRST
                                                    RT_ICON0x765f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4290054656, next used block 4290054656
                                                    RT_ICON0x776a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4290251780, next used block 4290189330
                                                    RT_GROUP_ICON0x79c480x30data
                                                    RT_VERSION0x79c780x35cdata
                                                    RT_MANIFEST0x79fd40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright Microsoft 2017 - 2020
                                                    Assembly Version1.0.0.0
                                                    InternalName.exe
                                                    FileVersion1.0.0.0
                                                    CompanyNameMicrosoft
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameMonopoly Simulator
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionMonopoly Simulator
                                                    OriginalFilename.exe

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    11/19/20-09:21:07.833217TCP2025019ET TROJAN Possible NanoCore C2 60B497294321192.168.2.479.134.225.9

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 19, 2020 09:21:07.574177027 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:07.777597904 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:07.777743101 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:07.833216906 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:08.059365988 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:08.244832039 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:08.305620909 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:08.932408094 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:09.219861031 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:09.432524920 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:09.652750969 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.035526037 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.174184084 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.383342981 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.383404016 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.383476019 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.599653006 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.599709034 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.599771976 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.599915028 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.653995037 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.824536085 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.875585079 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.875837088 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.875881910 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.875978947 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.095186949 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.096019983 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.105705976 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.105794907 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.305669069 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.305974960 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.318087101 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.318126917 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.318191051 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.432882071 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.548851967 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.638549089 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.638609886 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.863959074 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.869226933 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.869307995 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.869482040 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.932651997 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.079642057 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.079916954 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.080179930 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.156668901 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.156694889 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.156764030 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.293311119 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.293401003 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.293479919 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.382618904 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.382644892 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.382663012 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.382894039 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.432719946 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.511066914 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.513133049 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.513909101 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.639528990 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.639573097 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.639622927 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.639735937 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.639849901 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.639894962 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.862952948 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.862977982 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.862994909 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.863009930 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.863025904 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.863039970 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.863064051 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.863936901 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.864898920 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.866702080 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.932749987 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.069506884 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.070662022 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.070691109 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.070720911 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.076715946 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.076781988 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.076886892 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.088591099 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.088648081 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.134604931 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.245286942 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.291349888 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291412115 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291456938 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291485071 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.291533947 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291594982 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.291603088 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291650057 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291687012 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291723013 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291753054 CET497294321192.168.2.479.134.225.9

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 6164 Parent PID: 5864

                                                    General

                                                    Start time:09:20:51
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\NEW ORDER_8876630.exe'
                                                    Imagebase:0x230000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670812071.00000000027A8000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 6444 Parent PID: 6164

                                                    General

                                                    Start time:09:20:58
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 4864 Parent PID: 6444

                                                    General

                                                    Start time:09:20:59
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 6804 Parent PID: 6164

                                                    General

                                                    Start time:09:20:59
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:{path}
                                                    Imagebase:0x3c0000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 5852 Parent PID: 6164

                                                    General

                                                    Start time:09:21:00
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x8e0000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.924508392.0000000007CDF000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.924228437.000000000734F000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.924432961.0000000007C61000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, Author: Florian Roth
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 6624 Parent PID: 5852

                                                    General

                                                    Start time:09:21:03
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 6644 Parent PID: 6624

                                                    General

                                                    Start time:09:21:03
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: schtasks.exe PID: 6156 Parent PID: 5852

                                                    General

                                                    Start time:09:21:04
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 6716 Parent PID: 6156

                                                    General

                                                    Start time:09:21:04
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 6852 Parent PID: 968

                                                    General

                                                    Start time:09:21:06
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0
                                                    Imagebase:0xc20000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.699403409.0000000003042000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Analysis Process: dhcpmon.exe PID: 6900 Parent PID: 968

                                                    General

                                                    Start time:09:21:07
                                                    Start date:19/11/2020
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                    Imagebase:0x6e0000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 49%, Virustotal, Browse
                                                    • Detection: 42%, ReversingLabs
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 6672 Parent PID: 6852

                                                    General

                                                    Start time:09:21:11
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 4864 Parent PID: 6672

                                                    General

                                                    Start time:09:21:12
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 3484 Parent PID: 6852

                                                    General

                                                    Start time:09:21:12
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:{path}
                                                    Imagebase:0x230000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 2456 Parent PID: 6852

                                                    General

                                                    Start time:09:21:13
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0xe00000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Analysis Process: dhcpmon.exe PID: 4088 Parent PID: 3424

                                                    General

                                                    Start time:09:21:15
                                                    Start date:19/11/2020
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                    Imagebase:0x280000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 6916 Parent PID: 4088

                                                    General

                                                    Start time:09:21:20
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 6988 Parent PID: 6916

                                                    General

                                                    Start time:09:21:21
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: dhcpmon.exe PID: 6508 Parent PID: 4088

                                                    General

                                                    Start time:09:21:22
                                                    Start date:19/11/2020
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:{path}
                                                    Imagebase:0x80000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    Analysis Process: dhcpmon.exe PID: 4928 Parent PID: 4088

                                                    General

                                                    Start time:09:21:22
                                                    Start date:19/11/2020
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x7e0000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Analysis Process: vbc.exe PID: 5876 Parent PID: 5852

                                                    General

                                                    Start time:09:22:27
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h'
                                                    Imagebase:0xe90000
                                                    File size:2688096 bytes
                                                    MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Analysis Process: vbc.exe PID: 5796 Parent PID: 5852

                                                    General

                                                    Start time:09:22:28
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
                                                    Imagebase:0xe90000
                                                    File size:2688096 bytes
                                                    MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    Analysis Process: vbc.exe PID: 5776 Parent PID: 5852

                                                    General

                                                    Start time:09:22:30
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
                                                    Imagebase:0xe90000
                                                    File size:2688096 bytes
                                                    MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >