Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report n4CeZTejKM.exe

Overview

General Information

Sample Name:n4CeZTejKM.exe
Analysis ID:383183
MD5:b8362f2f6e0353819fa0dd8a35ef6a58
SHA1:f1cb392fa0fd6acbb6eb1d858064a74fd5272ff3
SHA256:0ef41dabaa6af07317dd45595f15625cb7517650bb13b365de0717d3cad26197
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • n4CeZTejKM.exe (PID: 6528 cmdline: 'C:\Users\user\Desktop\n4CeZTejKM.exe' MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • powershell.exe (PID: 6640 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\n4CeZTejKM.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6660 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6788 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • n4CeZTejKM.exe (PID: 6804 cmdline: C:\Users\user\Desktop\n4CeZTejKM.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • n4CeZTejKM.exe (PID: 6900 cmdline: C:\Users\user\Desktop\n4CeZTejKM.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
  • dhcpmon.exe (PID: 5820 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • powershell.exe (PID: 6120 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 1020 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DD8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6132 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 3348 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • dhcpmon.exe (PID: 6324 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • dhcpmon.exe (PID: 2168 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
    • dhcpmon.exe (PID: 6712 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: B8362F2F6E0353819FA0DD8A35EF6A58)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "744b568e-a77e-4db4-a930-a5348ceb", "Group": "NWANWA", "Domain1": "lastme11.ddns.net", "Domain2": "127.0.0.1", "Port": 8282, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 32 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    23.2.dhcpmon.exe.3f1e434.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    23.2.dhcpmon.exe.3f1e434.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    23.2.dhcpmon.exe.3f1e434.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      9.2.n4CeZTejKM.exe.5f00000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      9.2.n4CeZTejKM.exe.5f00000.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      Click to see the 68 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\n4CeZTejKM.exe, ProcessId: 6900, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\n4CeZTejKM.exe' , ParentImage: C:\Users\user\Desktop\n4CeZTejKM.exe, ParentProcessId: 6528, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp', ProcessId: 6660

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "744b568e-a77e-4db4-a930-a5348ceb", "Group": "NWANWA", "Domain1": "lastme11.ddns.net", "Domain2": "127.0.0.1", "Port": 8282, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": ""}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 18%Perma Link
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 68%
      Source: C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exeMetadefender: Detection: 18%Perma Link
      Source: C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exeReversingLabs: Detection: 68%
      Multi AV Scanner detection for submitted fileShow sources
      Source: n4CeZTejKM.exeVirustotal: Detection: 42%Perma Link
      Source: n4CeZTejKM.exeMetadefender: Detection: 18%Perma Link
      Source: n4CeZTejKM.exeReversingLabs: Detection: 68%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORY
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46c2a5d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f22a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f04629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: n4CeZTejKM.exeJoe Sandbox ML: detected
      Source: 9.2.n4CeZTejKM.exe.5f00000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: n4CeZTejKM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: n4CeZTejKM.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: n4CeZTejKM.exe, 00000009.00000002.477387335.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: n4CeZTejKM.exe, 00000001.00000002.220301959.0000000004FE0000.00000002.00000001.sdmp, n4CeZTejKM.exe, 00000009.00000002.486778263.0000000005C10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.271352812.0000000002810000.00000002.00000001.sdmp
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: lastme11.ddns.net
      Source: Malware configuration extractorURLs: 127.0.0.1
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: lastme11.ddns.net
      Source: global trafficTCP traffic: 192.168.2.3:49705 -> 194.5.98.9:8282
      Source: Joe Sandbox ViewIP Address: 194.5.98.9 194.5.98.9
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.177
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.177
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.177
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownDNS traffic detected: queries for: lastme11.ddns.net
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 0000000B.00000002.438581357.0000000004641000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000002.00000003.303550932.0000000004E8B000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.313150171.0000000005098000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
      Source: n4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: n4CeZTejKM.exe, 00000001.00000002.212751327.0000000000F3A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: n4CeZTejKM.exe, 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORY
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46c2a5d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f22a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f04629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.486853202.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.2.dhcpmon.exe.3f1e434.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.n4CeZTejKM.exe.5f00000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.n4CeZTejKM.exe.46be434.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.n4CeZTejKM.exe.46c2a5d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.n4CeZTejKM.exe.5f00000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.3f22a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.2.dhcpmon.exe.2ee17c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.n4CeZTejKM.exe.46be434.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.n4CeZTejKM.exe.3681654.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.n4CeZTejKM.exe.5c70000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.n4CeZTejKM.exe.5f04629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.3f1e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_05F113D6 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_05F113A9 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_0590131A NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_059012DF NtQuerySystemInformation,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05BA120E NtQuerySystemInformation,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05BA11DD NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_00E97818
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_04F50EC8
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_04F528F6
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_04F528F8
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_04F529D6
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_04F529AE
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_04F50EB8
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E2FA8
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E23A0
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E8788
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032EB058
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E3850
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E9388
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E969B
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E9C30
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E306F
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_032E944F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_02680EC8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_02680EB8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_02682954
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_02682924
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_029A5F70
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_029AADF0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_045EC240
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_077826E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07788BD8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07780007
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0779A738
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0779C790
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07796B5D
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07799320
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0779E162
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0779A798
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07794F88
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0779B781
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07794BB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_077932D0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_026C98D0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_026CB468
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_026CCD48
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_026DCFC8
      Source: n4CeZTejKM.exeBinary or memory string: OriginalFilename vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000001.00000002.221845471.0000000005D70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000001.00000002.221845471.0000000005D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000001.00000002.221432983.0000000005C70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDebuggerHiddenAttribute.dllX vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000001.00000002.220301959.0000000004FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000001.00000002.220019146.0000000004F70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDurmu_ vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000001.00000002.212751327.0000000000F3A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000001.00000003.209003232.0000000000FDF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFlushWriteAsyncd42.exe: vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exeBinary or memory string: OriginalFilename vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000008.00000002.209394254.0000000000212000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFlushWriteAsyncd42.exe: vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exeBinary or memory string: OriginalFilename vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000009.00000002.487949749.0000000006A80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000009.00000002.483025308.0000000003671000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000009.00000002.487529435.00000000063E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000009.00000000.210277250.0000000000F12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFlushWriteAsyncd42.exe: vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000009.00000002.486234603.00000000058F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exe, 00000009.00000002.486778263.0000000005C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs n4CeZTejKM.exe
      Source: n4CeZTejKM.exeBinary or memory string: OriginalFilenameFlushWriteAsyncd42.exe: vs n4CeZTejKM.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
      Source: n4CeZTejKM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.486853202.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.486853202.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.2.dhcpmon.exe.3f1e434.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3f1e434.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.n4CeZTejKM.exe.5f00000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.5f00000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.n4CeZTejKM.exe.46be434.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.46be434.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.n4CeZTejKM.exe.46c2a5d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.46c2a5d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.n4CeZTejKM.exe.5f00000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.5f00000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.3f22a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3f22a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.2.dhcpmon.exe.2ee17c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.2ee17c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.n4CeZTejKM.exe.46be434.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.46be434.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.n4CeZTejKM.exe.3681654.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.3681654.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.n4CeZTejKM.exe.5c70000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.5c70000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.n4CeZTejKM.exe.5f04629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.5f04629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.3f1e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3f1e434.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@32/28@30/2
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_05F10FC2 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_05F10F8B AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_059010DA AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_059010A3 AdjustTokenPrivileges,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05BA0B4E AdjustTokenPrivileges,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05BA0B17 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile created: C:\Program Files (x86)\DHCP Monitor
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile created: C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{744b568e-a77e-4db4-a930-a5348ceb4c3b}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\JVvAqWFgsNsPISjcE
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_01
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF565.tmpJump to behavior
      Source: n4CeZTejKM.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: n4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276219460.0000000002BE4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO PublisherMembershipCondition VALUES(@modelo, @fabricante, @ano, @cor);
      Source: n4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276219460.0000000002BE4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
      Source: n4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276219460.0000000002BE4000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
      Source: n4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276219460.0000000002BE4000.00000004.00000001.sdmpBinary or memory string: Select * from PublisherMembershipCondition WHERE modelo=@modelo;zDeu erro na execu
      Source: n4CeZTejKM.exeVirustotal: Detection: 42%
      Source: n4CeZTejKM.exeMetadefender: Detection: 18%
      Source: n4CeZTejKM.exeReversingLabs: Detection: 68%
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile read: C:\Users\user\Desktop\n4CeZTejKM.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\n4CeZTejKM.exe 'C:\Users\user\Desktop\n4CeZTejKM.exe'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\n4CeZTejKM.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Users\user\Desktop\n4CeZTejKM.exe C:\Users\user\Desktop\n4CeZTejKM.exe
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Users\user\Desktop\n4CeZTejKM.exe C:\Users\user\Desktop\n4CeZTejKM.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DD8.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\n4CeZTejKM.exe'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Users\user\Desktop\n4CeZTejKM.exe C:\Users\user\Desktop\n4CeZTejKM.exe
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Users\user\Desktop\n4CeZTejKM.exe C:\Users\user\Desktop\n4CeZTejKM.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DD8.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: n4CeZTejKM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: n4CeZTejKM.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: n4CeZTejKM.exe, 00000009.00000002.477387335.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: n4CeZTejKM.exe, 00000001.00000002.220301959.0000000004FE0000.00000002.00000001.sdmp, n4CeZTejKM.exe, 00000009.00000002.486778263.0000000005C10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.271352812.0000000002810000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains method to dynamically call methods (often used by packers)Show sources
      Source: n4CeZTejKM.exe, ListView/FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "WinControls.ListView" } } }, null, null, null, true)
      Source: sIlqvNJawsmeFV.exe.1.dr, ListView/FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "WinControls.ListView" } } }, null, null, null, true)
      Source: 1.2.n4CeZTejKM.exe.6c0000.0.unpack, ListView/FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "WinControls.ListView" } } }, null, null, null, true)
      Source: 1.0.n4CeZTejKM.exe.6c0000.0.unpack, ListView/FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "WinControls.ListView" } } }, null, null, null, true)
      Source: 8.2.n4CeZTejKM.exe.210000.0.unpack, ListView/FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "WinControls.ListView" } } }, null, null, null, true)
      Source: 8.0.n4CeZTejKM.exe.210000.0.unpack, ListView/FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "WinControls.ListView" } } }, null, null, null, true)
      Source: dhcpmon.exe.9.dr, ListView/FallbackBuffer.cs.Net Code: NewLateBinding.LateCall(V_4, null, "Invoke", new object[] { null, new object[] { new string[] { FormatterTypeStyle.ExclusiveScheduler, FormatterTypeStyle.IdentityAuthority, "WinControls.ListView" } } }, null, null, null, true)
      .NET source code contains potential unpackerShow sources
      Source: n4CeZTejKM.exe, ListView/FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: sIlqvNJawsmeFV.exe.1.dr, ListView/FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.n4CeZTejKM.exe.6c0000.0.unpack, ListView/FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.0.n4CeZTejKM.exe.6c0000.0.unpack, ListView/FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.n4CeZTejKM.exe.210000.0.unpack, ListView/FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.0.n4CeZTejKM.exe.210000.0.unpack, ListView/FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: dhcpmon.exe.9.dr, ListView/FallbackBuffer.cs.Net Code: WSTRBufferMarshaler System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 1_2_00E980FD push ebp; ret
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_016D9D78 pushad ; retf
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00B1811E push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00B18162 push ebp; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00B17C81 push eax; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00B17C81 push ebp; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_026A0AAE push 00000002h; retn 0010h
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_029A2180 push edx; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_029ADE8F push ecx; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_029ADEBB push ecx; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_029ADDE4 push ecx; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_029AED60 push ebp; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_045EDFCB push es; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07785753 push es; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_077826D3 push esp; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_077826C5 push ebp; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0778F68B push edi; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_077854E8 push es; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0778E21F push eax; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07783280 pushad ; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07783283 pushad ; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07780007 push esi; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0778FF99 push es; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0778CEDF push es; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07787BC9 push es; retn 0004h
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0778EA30 push eax; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07797348 push 8BF88B00h; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07790A69 push ecx; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_026C4B89 push eax; mov dword ptr [esp], edx
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_026C86F0 push es; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_026C4F40 push eax; mov dword ptr [esp], edx
      Source: initial sampleStatic PE information: section name: .text entropy: 6.80300279946
      Source: initial sampleStatic PE information: section name: .text entropy: 6.80300279946
      Source: initial sampleStatic PE information: section name: .text entropy: 6.80300279946
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.n4CeZTejKM.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile created: C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exeJump to dropped file
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeFile opened: C:\Users\user\Desktop\n4CeZTejKM.exe:Zone.Identifier read attributes | delete
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORY
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2bc92f8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.2d892d4.1.raw.unpack, type: UNPACKEDPE
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: n4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: n4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5318
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1958
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4552
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2112
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeWindow / User API: foregroundWindowGot 700
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2620
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4856
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4366
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2888
      Source: C:\Users\user\Desktop\n4CeZTejKM.exe TID: 6532Thread sleep time: -99025s >= -30000s
      Source: C:\Users\user\Desktop\n4CeZTejKM.exe TID: 6592Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5516Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6876Thread sleep count: 4552 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6880Thread sleep count: 2112 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6944Thread sleep count: 53 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6148Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\n4CeZTejKM.exe TID: 6968Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\n4CeZTejKM.exe TID: 6948Thread sleep time: -340000s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3352Thread sleep time: -99321s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2788Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3728Thread sleep time: -5534023222112862s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep count: 4366 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6180Thread sleep count: 2888 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6268Thread sleep count: 55 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3440Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4912Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_05900D66 GetSystemInfo,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeThread delayed: delay time: 99025
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 99321
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Add-VMNetworkAdapter
      Source: powershell.exe, 00000002.00000003.303550932.0000000004E8B000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.313150171.0000000005098000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.441693484.0000000004EF3000.00000004.00000001.sdmpBinary or memory string: Hyper-V
      Source: dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Set-VMNetworkAdapterTeamMapping
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Connect-VMNetworkAdapter
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Add-VMNetworkAdapterExtendedAcl
      Source: n4CeZTejKM.exe, 00000009.00000002.487949749.0000000006A80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VMNetworkAdapterTeamMapping
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: lKC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VMNetworkAdapterIsolation
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Test-VMNetworkAdapter
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Set-VMNetworkAdapterRdma
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VMNetworkAdapterAcl
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: lOC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
      Source: dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Rename-VMNetworkAdapter
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VMNetworkAdapterVlan
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l)Get-VMNetworkAdapterFailoverConfiguration
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Remove-VMNetworkAdapterAcl
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l(Set-VmNetworkAdapterRoutingDomainMapping
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VMNetworkAdapter
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Add-VMScsiController
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Set-VmNetworkAdapterIsolation
      Source: n4CeZTejKM.exe, 00000009.00000002.487949749.0000000006A80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VMScsiController
      Source: dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VMNetworkAdapterRdma
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: n4CeZTejKM.exe, 00000009.00000002.487949749.0000000006A80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l"Remove-VMNetworkAdapterExtendedAcl
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Set-VMNetworkAdapterVlan
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l(Add-VmNetworkAdapterRoutingDomainMapping
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VmNetworkAdapterIsolation
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Set-VMNetworkAdapterIsolationst0T
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Set-VMNetworkAdapter
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Disconnect-VMNetworkAdapter
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l)Set-VMNetworkAdapterFailoverConfiguration
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l(Add-VMNetworkAdapterRoutingDomainMapping
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l(Get-VMNetworkAdapterRoutingDomainMapping
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Add-VMNetworkAdapterAcl
      Source: dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Remove-VMScsiController
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l+Remove-VMNetworkAdapterRoutingDomainMapping
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l"Remove-VMNetworkAdapterTeamMapping
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Remove-VMNetworkAdapter
      Source: n4CeZTejKM.exe, 00000009.00000002.487949749.0000000006A80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: Get-VMNetworkAdapterExtendedAcl
      Source: powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpBinary or memory string: l(Set-VMNetworkAdapterRoutingDomainMapping
      Source: powershell.exe, 00000002.00000003.303550932.0000000004E8B000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.313150171.0000000005098000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000003.441693484.0000000004EF3000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Adds a directory exclusion to Windows DefenderShow sources
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\n4CeZTejKM.exe'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\n4CeZTejKM.exe'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeMemory written: C:\Users\user\Desktop\n4CeZTejKM.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\n4CeZTejKM.exe'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Users\user\Desktop\n4CeZTejKM.exe C:\Users\user\Desktop\n4CeZTejKM.exe
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeProcess created: C:\Users\user\Desktop\n4CeZTejKM.exe C:\Users\user\Desktop\n4CeZTejKM.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DD8.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: n4CeZTejKM.exe, 00000009.00000003.422297965.00000000061D5000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: n4CeZTejKM.exe, 00000009.00000002.477100038.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: n4CeZTejKM.exe, 00000009.00000002.477100038.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: n4CeZTejKM.exe, 00000009.00000002.477100038.0000000001D20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: n4CeZTejKM.exe, 00000009.00000002.483344417.0000000003730000.00000004.00000001.sdmpBinary or memory string: Program ManagerHQJ
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_016CAF9A GetUserNameW,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORY
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46c2a5d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f22a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f04629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: n4CeZTejKM.exe, 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: n4CeZTejKM.exe, 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: n4CeZTejKM.exe, 00000009.00000002.483025308.0000000003671000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000017.00000002.298863189.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000017.00000002.298863189.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6900, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: n4CeZTejKM.exe PID: 6528, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6712, type: MEMORY
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46c2a5d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f00000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f22a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3dfa8d0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46be434.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.5f04629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f1e434.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3f195fe.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.n4CeZTejKM.exe.3ef4b80.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3d34b80.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.3c3a8d0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.n4CeZTejKM.exe.46b95fe.5.raw.unpack, type: UNPACKEDPE
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_0590262A bind,
      Source: C:\Users\user\Desktop\n4CeZTejKM.exeCode function: 9_2_059025D8 bind,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScheduled Task/Job1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11Input Capture21Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobScheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information3Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Software Packing22NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery211SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion31DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 383183 Sample: n4CeZTejKM.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 14 other signatures 2->68 7 n4CeZTejKM.exe 7 2->7         started        11 dhcpmon.exe 2->11         started        process3 file4 44 C:\Users\user\AppData\...\sIlqvNJawsmeFV.exe, PE32 7->44 dropped 46 C:\...\sIlqvNJawsmeFV.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmpF565.tmp, XML 7->48 dropped 50 C:\Users\user\AppData\...\n4CeZTejKM.exe.log, ASCII 7->50 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 7->70 72 Adds a directory exclusion to Windows Defender 7->72 74 Injects a PE file into a foreign processes 7->74 13 n4CeZTejKM.exe 7->13         started        18 powershell.exe 24 7->18         started        20 powershell.exe 26 7->20         started        28 2 other processes 7->28 22 powershell.exe 11->22         started        24 schtasks.exe 11->24         started        26 powershell.exe 11->26         started        30 4 other processes 11->30 signatures5 process6 dnsIp7 58 lastme11.ddns.net 194.5.98.9, 49705, 49709, 49712 DANILENKODE Netherlands 13->58 60 127.0.0.1 unknown unknown 13->60 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->52 dropped 54 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 13->54 dropped 56 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->56 dropped 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->76 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        file8 signatures9 process10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      n4CeZTejKM.exe42%VirustotalBrowse
      n4CeZTejKM.exe24%MetadefenderBrowse
      n4CeZTejKM.exe69%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      n4CeZTejKM.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe24%MetadefenderBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe69%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe24%MetadefenderBrowse
      C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe69%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      9.2.n4CeZTejKM.exe.5f00000.9.unpack100%AviraTR/NanoCore.fadteDownload File
      9.2.n4CeZTejKM.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      23.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      lastme11.ddns.net0%Avira URL Cloudsafe
      https://go.micro0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      127.0.0.10%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      lastme11.ddns.net
      		194.5.98.9
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        lastme11.ddns.nettrue
        • Avira URL Cloud: safe
        		unknown
        127.0.0.1true
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpfalse
          		high
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.438581357.0000000004641000.00000004.00000001.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000002.00000003.303550932.0000000004E8B000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.313150171.0000000005098000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssn4CeZTejKM.exe, 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000B.00000002.439146359.0000000004782000.00000004.00000001.sdmpfalse
                		high

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                194.5.98.9
                		lastme11.ddns.netNetherlands
                		208476DANILENKODEtrue

                Private

                IP
                127.0.0.1

                General Information

                Joe Sandbox Version:31.0.0 Emerald
                Analysis ID:383183
                Start date:07.04.2021
                Start time:12:06:12
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 14m 0s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:n4CeZTejKM.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:40
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@32/28@30/2
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 3.1% (good quality ratio 3.1%)
                • Quality average: 64.8%
                • Quality standard deviation: 10.7%
                HCA Information:
                • Successful, ratio: 90%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                Warnings:
                Show All
                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                12:07:00API Interceptor738x Sleep call for process: n4CeZTejKM.exe modified
                12:07:05AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                12:07:17API Interceptor2x Sleep call for process: dhcpmon.exe modified
                12:07:35API Interceptor201x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                194.5.98.9New purchase order PO#678932190,rar.exeGet hashmaliciousBrowse
                  37Bill of lading information -8877-pdf-invoice677.jsGet hashmaliciousBrowse
                    37Bill of lading information -8877-pdf-invoice677.jsGet hashmaliciousBrowse
                      41Payment copy.jsGet hashmaliciousBrowse
                        41Payment copy.jsGet hashmaliciousBrowse
                          Scan Copy.exeGet hashmaliciousBrowse

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            DANILENKODENew Order request Ref E100-#3175704534,pdf.e.exeGet hashmaliciousBrowse
                            • 194.5.97.14
                            PO-#3175704534,PDF.exeGet hashmaliciousBrowse
                            • 194.5.97.14
                            Evgp2DqQha.exeGet hashmaliciousBrowse
                            • 194.5.98.107
                            Payment Copy #6578965432.exeGet hashmaliciousBrowse
                            • 194.5.98.52
                            PO SKP 149684.jarGet hashmaliciousBrowse
                            • 194.5.98.48
                            4EPXPkicIL.exeGet hashmaliciousBrowse
                            • 194.5.97.158
                            xoxd454e9q.exeGet hashmaliciousBrowse
                            • 194.5.97.158
                            1VzQLgPeAlfHSHQ.exeGet hashmaliciousBrowse
                            • 194.5.97.214
                            XJ1lVmdiCi.exeGet hashmaliciousBrowse
                            • 194.5.97.237
                            QUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse
                            • 194.5.98.182
                            Revised invoice30032021.exeGet hashmaliciousBrowse
                            • 194.5.98.145
                            QUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse
                            • 194.5.98.182
                            Vp0VO1U2oo.exeGet hashmaliciousBrowse
                            • 194.5.98.107
                            IpEtbpwMpM.exeGet hashmaliciousBrowse
                            • 194.5.98.250
                            LOT 15 - Transfer Manifest.xlsxGet hashmaliciousBrowse
                            • 194.5.98.250
                            2df27f1a3505dbd0995188d49c253f5bc53c0e994954c.exeGet hashmaliciousBrowse
                            • 194.5.98.107
                            1AQz4ua1TU.exeGet hashmaliciousBrowse
                            • 194.5.98.107
                            5YjMB4pzS4.exeGet hashmaliciousBrowse
                            • 194.5.98.49
                            F8ZoCqWINT.exeGet hashmaliciousBrowse
                            • 194.5.98.250
                            xxRtA2mCLA.exeGet hashmaliciousBrowse
                            • 194.5.98.250

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Process:C:\Users\user\Desktop\n4CeZTejKM.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):992768
                            Entropy (8bit):6.75779325476642
                            Encrypted:false
                            SSDEEP:12288:5EMXiA97oRAgvitEQ6TFQdNXDfx2EHphAKeZrdhOBcc3:nH97AZfQ0GdNMEHbkhOH
                            MD5:B8362F2F6E0353819FA0DD8A35EF6A58
                            SHA1:F1CB392FA0FD6ACBB6EB1D858064A74FD5272FF3
                            SHA-256:0EF41DABAA6AF07317DD45595F15625CB7517650BB13B365DE0717D3CAD26197
                            SHA-512:BB06D70FB66480A8A7BC464A4AE3F4E0EE08D38F06779571B83E23B7CAC00DDF1DA417FA8754541514CC971CA3FAF549EB9F40BFDA2E0EF77444ECBA6BE6C923
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Metadefender, Detection: 24%, Browse
                            • Antivirus: ReversingLabs, Detection: 69%
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#G]`..............P......L......n.... ........@.. ....................................@.....................................O.......$I...................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...$I.......J..................@..@.reloc.......`.......$..............@..B................P.......H........Q...K...............[...........................................0............(;...(<.........(.....o=....*.....................(>......(?......(@......(A......(B....*N..(....oA...(C....*&..(D....*.sE........sF........sG........sH........sI........*....0...........~....oJ....+..*.0...........~....oK....+..*.0...........~....oL....+..*.0...........~....oM....+..*.0...........~....oN....+..*&..(O....*...0..<........~.....(P.....,!r...p.....(Q...oR...sS............~.....
                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                            Process:C:\Users\user\Desktop\n4CeZTejKM.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview: [ZoneTransfer]....ZoneId=0
                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):5.288448637977022
                            Encrypted:false
                            SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                            MD5:B1DB55991C3DA14E35249AEA1BC357CA
                            SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                            SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                            SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                            Malicious:false
                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\n4CeZTejKM.exe.log
                            Process:C:\Users\user\Desktop\n4CeZTejKM.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):664
                            Entropy (8bit):5.288448637977022
                            Encrypted:false
                            SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                            MD5:B1DB55991C3DA14E35249AEA1BC357CA
                            SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                            SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                            SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                            Malicious:true
                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):17865
                            Entropy (8bit):5.02433858506336
                            Encrypted:false
                            SSDEEP:384:2opbjvwRjdvRHdaXX35Iib4gCwfard3RAFHWrxgbiQ0HzAF8:2opbjoRjdvRHdaH3lCwfard3OFHWrxgo
                            MD5:4E751BEC18CCAEBDF0AF573AE7A32B77
                            SHA1:43858D8314FE18D541C90EEF073BFBFF06C28786
                            SHA-256:08B67A67D18C85BDBAC791C00B5096A960B73350CDD4F4CF6436F9CC4841C40B
                            SHA-512:C046B6532C9BBA6187F6A6E6CC77D7F2FA216897F07376C0727FD3A71C5CFC1AB60F17501E20536A49F8384D9DFF27EA81E5775ED706C0AD47E0ADF17F041AE1
                            Malicious:false
                            Preview: PSMODULECACHE.....9.<&...K...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1........Get-DnsClient........Get-DnsClientNrptGlobal........Set-DnsClientGlobalSetting........Set-DnsClientNrptRule........Get-DnsClientServerAddress........Clear-DnsClientCache........Set-DnsClientNrptGlobal........Get-DnsClientCache........Remove-DnsClientNrptRule........Get-DnsClientGlobalSetting........Add-DnsClientNrptRule........Set-DnsClient........Get-DnsClientNrptRule........Resolve-DnsName........Set-DnsClientServerAddress........Register-DnsClient........Get-DnsClientNrptPolicy...........;...w...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1^.......New-ItemProperty........Resume-Service........Wait-Process........Restart-Service........gcb........Set-Service........Write-EventLog........gin........Split-Path........Reset-ComputerMachinePassword........scb........Convert-Path........Set-TimeZone.....
                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):21664
                            Entropy (8bit):5.594497460067712
                            Encrypted:false
                            SSDEEP:384:ItL6lQKlZXC/TIYSBKnWultInu0pEQeZUVd17ALmzl5WKHVQ3SgSj2DI++j1:xlZCEY4KWultcucEpId3lRGSdco
                            MD5:360726589E368B010C01F35D52906539
                            SHA1:507D57012C48F6EC0BE394AE89F0E06EA8DF0DAB
                            SHA-256:82A976F5287DA86EE2E2F12358EBE120B107DD06DB9B0FACE79F2A7CC7E2B8F4
                            SHA-512:6758B51531EE131581AC0E659B853DE95FCEAF95438364F53BF5A6D50187DAEB2801929F01BE52CCAE63F519261D5F899CB5A7702CBBEAA56FC1AF768A846B3D
                            Malicious:false
                            Preview: @...e...................................>............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)Y.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axdeg3n0.hma.psm1
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0hg4dvh.1qt.ps1
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e23daa5d.if2.psm1
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjwcjsjc.umd.ps1
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pej2zjrs.mml.psm1
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdz4vktr.xfo.psm1
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_utn1oj0r.spb.ps1
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x13ksxuu.yky.ps1
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\tmp3DD8.tmp
                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1647
                            Entropy (8bit):5.198427188443693
                            Encrypted:false
                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBdXtn:cbh47TlNQ//rydbz9I3YODOLNdq3L9
                            MD5:83DA5FF120BDC6A05C9E1148152A48F0
                            SHA1:2789E2760A0684E67EF046E7E7F7538C3C198C85
                            SHA-256:CAEEEDE72A392E388155D3C74F199A6046A89C6ED8340C78D7BD6C37F4D4E1D0
                            SHA-512:69049FB7E4A3CC548208529FB951B711D23210969FEDD7B33F0EC69FD7862CE4393F78D4CD5513157E4C66F2934B10F4768F8A99B4B26DD92578CC6DD0454548
                            Malicious:false
                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                            C:\Users\user\AppData\Local\Temp\tmpF565.tmp
                            Process:C:\Users\user\Desktop\n4CeZTejKM.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1647
                            Entropy (8bit):5.198427188443693
                            Encrypted:false
                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBdXtn:cbh47TlNQ//rydbz9I3YODOLNdq3L9
                            MD5:83DA5FF120BDC6A05C9E1148152A48F0
                            SHA1:2789E2760A0684E67EF046E7E7F7538C3C198C85
                            SHA-256:CAEEEDE72A392E388155D3C74F199A6046A89C6ED8340C78D7BD6C37F4D4E1D0
                            SHA-512:69049FB7E4A3CC548208529FB951B711D23210969FEDD7B33F0EC69FD7862CE4393F78D4CD5513157E4C66F2934B10F4768F8A99B4B26DD92578CC6DD0454548
                            Malicious:true
                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                            Process:C:\Users\user\Desktop\n4CeZTejKM.exe
                            File Type:ISO-8859 text, with no line terminators
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):2.75
                            Encrypted:false
                            SSDEEP:3:5dcP:Ds
                            MD5:BC7C2FFCF05B15DEA4FC6AAC3CC0887B
                            SHA1:F777DA80862B3E57234142EF7D9067A2401D70D6
                            SHA-256:562CA0CF92DC9FC836A8E276CF402B2F0C9E31ABB50DB73A756D7BC4F61117AA
                            SHA-512:F3F282BCF172E492BF8A833541E536AD942ACB587FDB8A6C7B0711D77CC202E568E7FEFC946F7B58A2C6EA06C3A057D66025D1E14E20103AA02B162A3908BED9
                            Malicious:true
                            Preview: XX.U...H
                            C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe
                            Process:C:\Users\user\Desktop\n4CeZTejKM.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):992768
                            Entropy (8bit):6.75779325476642
                            Encrypted:false
                            SSDEEP:12288:5EMXiA97oRAgvitEQ6TFQdNXDfx2EHphAKeZrdhOBcc3:nH97AZfQ0GdNMEHbkhOH
                            MD5:B8362F2F6E0353819FA0DD8A35EF6A58
                            SHA1:F1CB392FA0FD6ACBB6EB1D858064A74FD5272FF3
                            SHA-256:0EF41DABAA6AF07317DD45595F15625CB7517650BB13B365DE0717D3CAD26197
                            SHA-512:BB06D70FB66480A8A7BC464A4AE3F4E0EE08D38F06779571B83E23B7CAC00DDF1DA417FA8754541514CC971CA3FAF549EB9F40BFDA2E0EF77444ECBA6BE6C923
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Metadefender, Detection: 24%, Browse
                            • Antivirus: ReversingLabs, Detection: 69%
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#G]`..............P......L......n.... ........@.. ....................................@.....................................O.......$I...................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...$I.......J..................@..@.reloc.......`.......$..............@..B................P.......H........Q...K...............[...........................................0............(;...(<.........(.....o=....*.....................(>......(?......(@......(A......(B....*N..(....oA...(C....*&..(D....*.sE........sF........sG........sH........sI........*....0...........~....oJ....+..*.0...........~....oK....+..*.0...........~....oL....+..*.0...........~....oM....+..*.0...........~....oN....+..*&..(O....*...0..<........~.....(P.....,!r...p.....(Q...oR...sS............~.....
                            C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe:Zone.Identifier
                            Process:C:\Users\user\Desktop\n4CeZTejKM.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview: [ZoneTransfer]....ZoneId=0
                            C:\Users\user\Documents\20210407\PowerShell_transcript.980108.ECse6Ohy.20210407120705.txt
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):5805
                            Entropy (8bit):5.416580629940367
                            Encrypted:false
                            SSDEEP:96:BZLh8NrqDo1ZhZRh8NrqDo1Z5GoOjZeh8NrqDo1ZCVfee0Zr:1A
                            MD5:104D8EFE3FDA0E9A1361627665B03AAC
                            SHA1:0B066E4FB41F2B247A31C7E02CE385F464040030
                            SHA-256:F802B1A41CC8DE988E18323C4EBB5B911EBABA42ECE30A16A5A56F3F55E11878
                            SHA-512:4EA8A420121C4CEB07067BD78494441D7A19976F236C48F696F6E700E25553AEFE946B005B5C556583AF014E8CA0C34A08F4997D8AA14BA81EA2D62F3A405385
                            Malicious:false
                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210407120723..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe..Process ID: 6788..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210407120723..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe..**********************..Windows PowerShell transcript start..Start time: 20210407121245..Username: computer\user..RunAs User: DESKTOP-716T
                            C:\Users\user\Documents\20210407\PowerShell_transcript.980108.IThRkPer.20210407120726.txt
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):5805
                            Entropy (8bit):5.41181055573263
                            Encrypted:false
                            SSDEEP:96:BZPh8NKqDo1ZRZ9h8NKqDo1Z6GoOjZZh8NKqDo1ZdfeeObZEi:K
                            MD5:DCABB212A7382C7ABF3BBBD87F523CC6
                            SHA1:39FF77F92C4454456495A9F5BAB1F345DA391A04
                            SHA-256:F307A40AF8FBF1F340D8476A64FB787F8C95D3C75BBB28AA781D968E99E4B47C
                            SHA-512:06F46DECC33362D60829E389D43B464CBA928AA605DD3C36917E7EF47FADE925B4B61DADC51ECF90427B1F3CB4A4856DB10EF5ED108A01CA1D46A38E1CD2CAE5
                            Malicious:false
                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210407120811..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe..Process ID: 6132..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210407120811..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe..**********************..Windows PowerShell transcript start..Start time: 20210407121212..Username: computer\user..RunAs User: DESKTOP-716T
                            C:\Users\user\Documents\20210407\PowerShell_transcript.980108.eyquLQAd.20210407120723.txt
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):3691
                            Entropy (8bit):5.2246933254566414
                            Encrypted:false
                            SSDEEP:96:BZ8nh8NYqDo1Z2Z4h8NYqDo1ZBlzvOzGMzGMzwyZU:8vyGgGgwD
                            MD5:17C31712FC3B977759DED677E8074C9A
                            SHA1:E65F7EC1AAA3650759C944E7E60F9F0F4FC108F2
                            SHA-256:C04D538E3F7D279FC1ACF3CECA9E7A1607DA178EA81C6AB16C3BBC9AE4A37937
                            SHA-512:03A225B372F66DC7831241D3214D00A7B602E96AAB9C3F5EF8114942715E86883A640CDF9CC4ED6275D775326E8128132C913DF3B0809DD26EC0293DC4625145
                            Malicious:false
                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210407120757..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..Process ID: 6120..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210407120758..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..**********************..Windows PowerShell transcript start..Start time: 20210407121604..Username: computer\user..RunAs User: computer\
                            C:\Users\user\Documents\20210407\PowerShell_transcript.980108.uu_KBH0g.20210407120702.txt
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):5733
                            Entropy (8bit):5.39655048255073
                            Encrypted:false
                            SSDEEP:96:BZIPh8NqEqDo1ZWSpZ4h8NqEqDo1ZiG9w9O9jZyh8NqEqDo1Z019+9+9uZx:sbPSIMiUGd88s
                            MD5:98BFEE5676F9CA48BB57F9827860F0DF
                            SHA1:56F430264A3E11F97734DF549C8A003302CFFD06
                            SHA-256:F9EE3D7728672764DF455041A6CCC9690179DC9FFA6FE56BD0C1D6132E589E47
                            SHA-512:036CB22311CB39F962D01113910EB883BA14A36784EE53B7B794916084BE4731187C510B5901712E5D411363067D0A7F18A1454884C634F02EF144DCE15032BF
                            Malicious:false
                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210407120720..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\n4CeZTejKM.exe..Process ID: 6640..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210407120720..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\n4CeZTejKM.exe..**********************..Windows PowerShell transcript start..Start time: 20210407121741..Username: computer\user..RunAs User: computer\user..Configuration

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):6.75779325476642
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:n4CeZTejKM.exe
                            File size:992768
                            MD5:b8362f2f6e0353819fa0dd8a35ef6a58
                            SHA1:f1cb392fa0fd6acbb6eb1d858064a74fd5272ff3
                            SHA256:0ef41dabaa6af07317dd45595f15625cb7517650bb13b365de0717d3cad26197
                            SHA512:bb06d70fb66480a8a7bc464a4ae3f4e0ee08d38f06779571b83e23b7cac00ddf1da417fa8754541514cc971ca3faf549eb9f40bfda2e0ef77444ecba6be6c923
                            SSDEEP:12288:5EMXiA97oRAgvitEQ6TFQdNXDfx2EHphAKeZrdhOBcc3:nH97AZfQ0GdNMEHbkhOH
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#G]`..............P......L......n.... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:40d2d2d2c6c6d200

                            Static PE Info

                            General

                            Entrypoint:0x4ef76e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x605D4723 [Fri Mar 26 02:29:55 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v2.0.50727
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xef71c0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x4924.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xed7740xed800False0.531135896382data6.80300279946IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0xf00000x49240x4a00False0.253695101351data3.28486972218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xf60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0xf01000x4228dBase III DBT, version number 0, next free block index 40
                            RT_GROUP_ICON0xf43380x14data
                            RT_VERSION0xf435c0x3c8data
                            RT_MANIFEST0xf47340x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightMitsubishi Grandis
                            Assembly Version2.0.0.8
                            InternalNameFlushWriteAsyncd42.exe
                            FileVersion2.0.0.8
                            CompanyName
                            LegalTrademarks
                            CommentsA control that is a cross between a TreeView and ListView
                            ProductNameTreeListView
                            ProductVersion2.0.0.8
                            FileDescriptionTreeListView
                            OriginalFilenameFlushWriteAsyncd42.exe

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            04/07/21-12:08:51.366361ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.337.235.1.177
                            04/07/21-12:08:57.463781ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.337.235.1.174

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 7, 2021 12:07:08.955805063 CEST497058282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:08.997693062 CEST828249705194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:09.498339891 CEST497058282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:09.540368080 CEST828249705194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:10.045350075 CEST497058282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:10.087270975 CEST828249705194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:24.140595913 CEST497098282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:24.181890965 CEST828249709194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:24.720387936 CEST497098282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:24.761925936 CEST828249709194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:25.280903101 CEST497098282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:25.323470116 CEST828249709194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:30.747617960 CEST497128282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:30.789664984 CEST828249712194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:31.375108004 CEST497128282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:31.416950941 CEST828249712194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:31.968951941 CEST497128282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:32.010413885 CEST828249712194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:53.537945986 CEST497268282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:53.581038952 CEST828249726194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:54.283289909 CEST497268282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:54.326841116 CEST828249726194.5.98.9192.168.2.3
                            Apr 7, 2021 12:07:54.970818996 CEST497268282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:07:55.012243032 CEST828249726194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:02.228030920 CEST497288282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:02.270768881 CEST828249728194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:02.783958912 CEST497288282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:02.825546980 CEST828249728194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:03.330938101 CEST497288282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:03.372982025 CEST828249728194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:13.093048096 CEST497328282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:13.135967970 CEST828249732194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:13.644242048 CEST497328282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:13.686116934 CEST828249732194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:14.191200018 CEST497328282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:14.232889891 CEST828249732194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:50.274300098 CEST497428282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:50.316080093 CEST828249742194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:50.819183111 CEST497428282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:50.860692024 CEST828249742194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:51.366091013 CEST497428282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:51.408396959 CEST828249742194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:56.499160051 CEST497438282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:56.540694952 CEST828249743194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:57.054162979 CEST497438282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:57.097485065 CEST828249743194.5.98.9192.168.2.3
                            Apr 7, 2021 12:08:57.601178885 CEST497438282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:08:57.645791054 CEST828249743194.5.98.9192.168.2.3
                            Apr 7, 2021 12:09:04.794033051 CEST497448282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:09:04.835779905 CEST828249744194.5.98.9192.168.2.3
                            Apr 7, 2021 12:09:05.336066961 CEST497448282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:09:05.378210068 CEST828249744194.5.98.9192.168.2.3
                            Apr 7, 2021 12:09:05.883148909 CEST497448282192.168.2.3194.5.98.9
                            Apr 7, 2021 12:09:05.927488089 CEST828249744194.5.98.9192.168.2.3

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 7, 2021 12:07:07.790890932 CEST5062053192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:08.780201912 CEST5062053192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:08.809835911 CEST535062037.235.1.174192.168.2.3
                            Apr 7, 2021 12:07:14.689867020 CEST5598453192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:15.988897085 CEST5598453192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:16.999814034 CEST5598453192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:19.046530008 CEST5598453192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:23.113275051 CEST5598453192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:24.137429953 CEST535598437.235.1.174192.168.2.3
                            Apr 7, 2021 12:07:29.874258041 CEST6418553192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:30.708245993 CEST536418537.235.1.174192.168.2.3
                            Apr 7, 2021 12:07:52.408004999 CEST5135253192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:53.517241955 CEST535135237.235.1.174192.168.2.3
                            Apr 7, 2021 12:07:53.536180019 CEST5135253192.168.2.337.235.1.174
                            Apr 7, 2021 12:07:59.170382023 CEST5934953192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:00.175076008 CEST5934953192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:01.206177950 CEST5934953192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:02.227020979 CEST535934937.235.1.174192.168.2.3
                            Apr 7, 2021 12:08:07.782757998 CEST5882353192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:08.805272102 CEST5882353192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:09.977143049 CEST5882353192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:11.988413095 CEST5882353192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:13.013056040 CEST535882337.235.1.174192.168.2.3
                            Apr 7, 2021 12:08:35.834372044 CEST5657953192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:36.862322092 CEST5657953192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:37.943831921 CEST5657953192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:39.943721056 CEST5657953192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:43.960089922 CEST5657953192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:48.026032925 CEST6063353192.168.2.337.235.1.177
                            Apr 7, 2021 12:08:49.058722019 CEST6063353192.168.2.337.235.1.177
                            Apr 7, 2021 12:08:50.081543922 CEST536063337.235.1.177192.168.2.3
                            Apr 7, 2021 12:08:50.270971060 CEST6063353192.168.2.337.235.1.177
                            Apr 7, 2021 12:08:51.366216898 CEST536063337.235.1.177192.168.2.3
                            Apr 7, 2021 12:08:55.472393036 CEST6129253192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:56.461020947 CEST6129253192.168.2.337.235.1.174
                            Apr 7, 2021 12:08:56.497888088 CEST536129237.235.1.174192.168.2.3
                            Apr 7, 2021 12:08:57.463502884 CEST536129237.235.1.174192.168.2.3
                            Apr 7, 2021 12:09:01.684366941 CEST6361953192.168.2.337.235.1.174
                            Apr 7, 2021 12:09:02.711464882 CEST6361953192.168.2.337.235.1.174
                            Apr 7, 2021 12:09:03.772718906 CEST6361953192.168.2.337.235.1.174
                            Apr 7, 2021 12:09:04.793008089 CEST536361937.235.1.174192.168.2.3

                            ICMP Packets

                            TimestampSource IPDest IPChecksumCodeType
                            Apr 7, 2021 12:08:51.366360903 CEST192.168.2.337.235.1.177e790(Port unreachable)Destination Unreachable
                            Apr 7, 2021 12:08:57.463781118 CEST192.168.2.337.235.1.174e78d(Port unreachable)Destination Unreachable

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Apr 7, 2021 12:07:07.790890932 CEST192.168.2.337.235.1.1740x56b6Standard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:08.780201912 CEST192.168.2.337.235.1.1740x56b6Standard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:14.689867020 CEST192.168.2.337.235.1.1740xe49eStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:15.988897085 CEST192.168.2.337.235.1.1740xe49eStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:16.999814034 CEST192.168.2.337.235.1.1740xe49eStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:19.046530008 CEST192.168.2.337.235.1.1740xe49eStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:23.113275051 CEST192.168.2.337.235.1.1740xe49eStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:29.874258041 CEST192.168.2.337.235.1.1740xb3bcStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:52.408004999 CEST192.168.2.337.235.1.1740xd91eStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:53.536180019 CEST192.168.2.337.235.1.1740xd91eStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:59.170382023 CEST192.168.2.337.235.1.1740x14adStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:00.175076008 CEST192.168.2.337.235.1.1740x14adStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:01.206177950 CEST192.168.2.337.235.1.1740x14adStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:07.782757998 CEST192.168.2.337.235.1.1740x8c5cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:08.805272102 CEST192.168.2.337.235.1.1740x8c5cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:09.977143049 CEST192.168.2.337.235.1.1740x8c5cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:11.988413095 CEST192.168.2.337.235.1.1740x8c5cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:35.834372044 CEST192.168.2.337.235.1.1740xb81cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:36.862322092 CEST192.168.2.337.235.1.1740xb81cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:37.943831921 CEST192.168.2.337.235.1.1740xb81cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:39.943721056 CEST192.168.2.337.235.1.1740xb81cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:43.960089922 CEST192.168.2.337.235.1.1740xb81cStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:48.026032925 CEST192.168.2.337.235.1.1770x779Standard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:49.058722019 CEST192.168.2.337.235.1.1770x779Standard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:50.270971060 CEST192.168.2.337.235.1.1770x779Standard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:55.472393036 CEST192.168.2.337.235.1.1740xfe8aStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:56.461020947 CEST192.168.2.337.235.1.1740xfe8aStandard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:09:01.684366941 CEST192.168.2.337.235.1.1740x1c24Standard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:09:02.711464882 CEST192.168.2.337.235.1.1740x1c24Standard query (0)lastme11.ddns.netA (IP address)IN (0x0001)
                            Apr 7, 2021 12:09:03.772718906 CEST192.168.2.337.235.1.1740x1c24Standard query (0)lastme11.ddns.netA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Apr 7, 2021 12:07:08.809835911 CEST37.235.1.174192.168.2.30x56b6No error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:24.137429953 CEST37.235.1.174192.168.2.30xe49eNo error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:30.708245993 CEST37.235.1.174192.168.2.30xb3bcNo error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:07:53.517241955 CEST37.235.1.174192.168.2.30xd91eNo error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:02.227020979 CEST37.235.1.174192.168.2.30x14adNo error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:13.013056040 CEST37.235.1.174192.168.2.30x8c5cNo error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:50.081543922 CEST37.235.1.177192.168.2.30x779No error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:51.366216898 CEST37.235.1.177192.168.2.30x779No error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:56.497888088 CEST37.235.1.174192.168.2.30xfe8aNo error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:08:57.463502884 CEST37.235.1.174192.168.2.30xfe8aNo error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)
                            Apr 7, 2021 12:09:04.793008089 CEST37.235.1.174192.168.2.30x1c24No error (0)lastme11.ddns.net194.5.98.9A (IP address)IN (0x0001)

                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: n4CeZTejKM.exe PID: 6528 Parent PID: 5604

                            General

                            Start time:12:06:58
                            Start date:07/04/2021
                            Path:C:\Users\user\Desktop\n4CeZTejKM.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\n4CeZTejKM.exe'
                            Imagebase:0x6c0000
                            File size:992768 bytes
                            MD5 hash:B8362F2F6E0353819FA0DD8A35EF6A58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.217601761.0000000003D81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.215030094.0000000002D81000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Analysis Process: powershell.exe PID: 6640 Parent PID: 6528

                            General

                            Start time:12:07:01
                            Start date:07/04/2021
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\n4CeZTejKM.exe'
                            Imagebase:0x300000
                            File size:430592 bytes
                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Analysis Process: conhost.exe PID: 6652 Parent PID: 6640

                            General

                            Start time:12:07:01
                            Start date:07/04/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: schtasks.exe PID: 6660 Parent PID: 6528

                            General

                            Start time:12:07:01
                            Start date:07/04/2021
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmpF565.tmp'
                            Imagebase:0xd40000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: conhost.exe PID: 6708 Parent PID: 6660

                            General

                            Start time:12:07:01
                            Start date:07/04/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: powershell.exe PID: 6788 Parent PID: 6528

                            General

                            Start time:12:07:02
                            Start date:07/04/2021
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
                            Imagebase:0x300000
                            File size:430592 bytes
                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Analysis Process: conhost.exe PID: 6796 Parent PID: 6788

                            General

                            Start time:12:07:02
                            Start date:07/04/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: n4CeZTejKM.exe PID: 6804 Parent PID: 6528

                            General

                            Start time:12:07:02
                            Start date:07/04/2021
                            Path:C:\Users\user\Desktop\n4CeZTejKM.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\Desktop\n4CeZTejKM.exe
                            Imagebase:0x210000
                            File size:992768 bytes
                            MD5 hash:B8362F2F6E0353819FA0DD8A35EF6A58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: n4CeZTejKM.exe PID: 6900 Parent PID: 6528

                            General

                            Start time:12:07:03
                            Start date:07/04/2021
                            Path:C:\Users\user\Desktop\n4CeZTejKM.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\n4CeZTejKM.exe
                            Imagebase:0xf10000
                            File size:992768 bytes
                            MD5 hash:B8362F2F6E0353819FA0DD8A35EF6A58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.466535067.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.487039401.0000000005F00000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.486853202.0000000005C70000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.486853202.0000000005C70000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.484515558.00000000046B7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                            Analysis Process: dhcpmon.exe PID: 5820 Parent PID: 3388

                            General

                            Start time:12:07:14
                            Start date:07/04/2021
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                            Imagebase:0x330000
                            File size:992768 bytes
                            MD5 hash:B8362F2F6E0353819FA0DD8A35EF6A58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.276077719.0000000002BC1000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.282359113.0000000003BC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            Antivirus matches:
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 24%, Metadefender, Browse
                            • Detection: 69%, ReversingLabs

                            Analysis Process: powershell.exe PID: 6120 Parent PID: 5820

                            General

                            Start time:12:07:19
                            Start date:07/04/2021
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                            Imagebase:0x300000
                            File size:430592 bytes
                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Analysis Process: conhost.exe PID: 6128 Parent PID: 6120

                            General

                            Start time:12:07:19
                            Start date:07/04/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: schtasks.exe PID: 1020 Parent PID: 5820

                            General

                            Start time:12:07:19
                            Start date:07/04/2021
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sIlqvNJawsmeFV' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DD8.tmp'
                            Imagebase:0xd40000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: conhost.exe PID: 1276 Parent PID: 1020

                            General

                            Start time:12:07:20
                            Start date:07/04/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: powershell.exe PID: 6132 Parent PID: 5820

                            General

                            Start time:12:07:20
                            Start date:07/04/2021
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sIlqvNJawsmeFV.exe'
                            Imagebase:0x300000
                            File size:430592 bytes
                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Analysis Process: conhost.exe PID: 5408 Parent PID: 6132

                            General

                            Start time:12:07:21
                            Start date:07/04/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: dhcpmon.exe PID: 3348 Parent PID: 5820

                            General

                            Start time:12:07:21
                            Start date:07/04/2021
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Imagebase:0x20000
                            File size:992768 bytes
                            MD5 hash:B8362F2F6E0353819FA0DD8A35EF6A58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: dhcpmon.exe PID: 6324 Parent PID: 5820

                            General

                            Start time:12:07:23
                            Start date:07/04/2021
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Imagebase:0x1b0000
                            File size:992768 bytes
                            MD5 hash:B8362F2F6E0353819FA0DD8A35EF6A58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: dhcpmon.exe PID: 2168 Parent PID: 5820

                            General

                            Start time:12:07:24
                            Start date:07/04/2021
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Imagebase:0x230000
                            File size:992768 bytes
                            MD5 hash:B8362F2F6E0353819FA0DD8A35EF6A58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Analysis Process: dhcpmon.exe PID: 6712 Parent PID: 5820

                            General

                            Start time:12:07:26
                            Start date:07/04/2021
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Imagebase:0x7b0000
                            File size:992768 bytes
                            MD5 hash:B8362F2F6E0353819FA0DD8A35EF6A58
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.281694344.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.299890051.0000000003ED1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                            Disassembly

                            Code Analysis

                            Reset < >