Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report #RFQ ORDER484475577797.exe

Overview

General Information

Sample Name:#RFQ ORDER484475577797.exe
Analysis ID:431672
MD5:18e38261e8ea6ae0077c5448f809ccb6
SHA1:bbfaf42987014ba9571c75d1982843d7ad7155ac
SHA256:3cb5c285d5e7f163c9764ef3e99467f5460b7f704c996ffa8e5e2982a2a86693
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #RFQ ORDER484475577797.exe (PID: 4364 cmdline: 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe' MD5: 18E38261E8EA6AE0077C5448F809CCB6)
    • powershell.exe (PID: 5616 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6052 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5728 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LNSXWuepjsOA' /XML 'C:\Users\user\AppData\Local\Temp\tmp5439.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3292 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • #RFQ ORDER484475577797.exe (PID: 1048 cmdline: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe MD5: 18E38261E8EA6AE0077C5448F809CCB6)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "44a4f7d4-4e07-4399-aab5-6ba6b60e", "Group": "bb", "Domain1": "194.5.98.120", "Domain2": "joseedward5001.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x8ba5:$x1: NanoCore.ClientPluginHost
  • 0x8bd2:$x2: IClientNetworkHost
0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x8ba5:$x2: NanoCore.ClientPluginHost
  • 0x9b74:$s2: FileCommand
  • 0xe576:$s4: PipeCreated
  • 0x8bbf:$s5: IClientLoggingHost
00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x55dd7:$a: NanoCore
    • 0x55ec1:$a: NanoCore
    • 0x56d38:$a: NanoCore
    • 0x5fee2:$a: NanoCore
    • 0x5ff43:$a: NanoCore
    • 0x5ff86:$a: NanoCore
    • 0x5ffc6:$a: NanoCore
    • 0x60202:$a: NanoCore
    • 0x602a2:$a: NanoCore
    • 0x60a7a:$a: NanoCore
    • 0x6106d:$a: NanoCore
    • 0x611be:$a: NanoCore
    • 0x62018:$a: NanoCore
    • 0x6227f:$a: NanoCore
    • 0x62294:$a: NanoCore
    • 0x622b3:$a: NanoCore
    • 0x6b1b6:$a: NanoCore
    • 0x6b1df:$a: NanoCore
    • 0x76f58:$a: NanoCore
    • 0x76f81:$a: NanoCore
    • 0x9be44:$a: NanoCore
    0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x7aa6a:$a: NanoCore
    • 0x7aa8f:$a: NanoCore
    • 0x7aae8:$a: NanoCore
    • 0x8accf:$a: NanoCore
    • 0x8acf5:$a: NanoCore
    • 0x8ad51:$a: NanoCore
    • 0x97beb:$a: NanoCore
    • 0x97c44:$a: NanoCore
    • 0x97c77:$a: NanoCore
    • 0x97ea3:$a: NanoCore
    • 0x97f1f:$a: NanoCore
    • 0x98538:$a: NanoCore
    • 0x98681:$a: NanoCore
    • 0x98b55:$a: NanoCore
    • 0x98e3c:$a: NanoCore
    • 0x98e53:$a: NanoCore
    • 0xa1d37:$a: NanoCore
    • 0xa1db3:$a: NanoCore
    • 0xa4696:$a: NanoCore
    • 0xa9ca1:$a: NanoCore
    • 0xa9d1b:$a: NanoCore
    Click to see the 51 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    10.2.#RFQ ORDER484475577797.exe.6560000.32.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x16e3:$x1: NanoCore.ClientPluginHost
    • 0x171c:$x2: IClientNetworkHost
    10.2.#RFQ ORDER484475577797.exe.6560000.32.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x16e3:$x2: NanoCore.ClientPluginHost
    • 0x1800:$s4: PipeCreated
    • 0x16fd:$s5: IClientLoggingHost
    10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    Click to see the 159 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe, ProcessId: 1048, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe, ProcessId: 1048, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    System Summary:

    barindex
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe' , ParentImage: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe, ParentProcessId: 4364, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe', ProcessId: 5616

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe, ProcessId: 1048, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe, ProcessId: 1048, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "44a4f7d4-4e07-4399-aab5-6ba6b60e", "Group": "bb", "Domain1": "194.5.98.120", "Domain2": "joseedward5001.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.483639790.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.491386366.0000000004223000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.491745715.00000000043D6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.492065013.000000000456E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 1048, type: MEMORY
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3c02de1.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4577f69.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42f2c6a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.456eb0a.23.raw.unpack, type: UNPACKEDPE
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpackAvira: Label: TR/NanoCore.fadte
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: #RFQ ORDER484475577797.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: #RFQ ORDER484475577797.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: mscorlib.pdbC source: #RFQ ORDER484475577797.exe, 0000000A.00000003.375988604.000000000103C000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb*??>' source: #RFQ ORDER484475577797.exe, 0000000A.00000003.375937251.000000000102F000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.480095177.000000000105C000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000003.375937251.000000000102F000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.479561466.0000000000FC3000.00000004.00000020.sdmp
    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\zUFaivyCht\src\obj\x86\Debug\GuidStyles.pdb source: #RFQ ORDER484475577797.exe
    Source: Binary string: System.pdbd6R source: #RFQ ORDER484475577797.exe, 0000000A.00000003.292891816.0000000001054000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.479922631.000000000103C000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Windows\System.pdbF` source: #RFQ ORDER484475577797.exe, 0000000A.00000002.479561466.0000000000FC3000.00000004.00000020.sdmp

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49724 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49725 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 194.5.98.120:1604
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 194.5.98.120:1604
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: 194.5.98.120
    Source: Malware configuration extractorURLs: joseedward5001.ddns.net
    Source: global trafficTCP traffic: 192.168.2.3:49724 -> 194.5.98.120:1604
    Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.120
    Source: powershell.exe, 00000002.00000002.376360020.0000000000E98000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.257872584.0000000000F23000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: powershell.exe, 00000002.00000003.333673161.0000000007B8F000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.351711715.0000000007AA7000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.381527007.0000000004981000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: powershell.exe, 00000002.00000003.333673161.0000000007B8F000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.396636071.0000000007A98000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205031179.000000000561E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/ce
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205395467.00000000055F9000.00000004.00000001.sdmp, #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com4
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.224915984.00000000055E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com;
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.224915984.00000000055E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTFu
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.224915984.00000000055E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasv
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.224915984.00000000055E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comica
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsief
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.200581068.00000000055FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic)
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.202378192.00000000055E7000.00000004.00000001.sdmp, #RFQ ORDER484475577797.exe, 00000000.00000003.202695742.00000000055E6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.202513228.00000000055E8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.202378192.00000000055E7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn3
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.202513228.00000000055E8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.202192893.00000000055ED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnht
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.206661212.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.206661212.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmJ
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0pP
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/het
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/4
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/j
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/siv
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uet;
    Source: powershell.exe, 00000002.00000003.350811381.0000000009493000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.256253921.000000000745C000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.199978541.00000000055E3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.199978541.00000000055E3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com_
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: #RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: powershell.exe, 00000002.00000003.333673161.0000000007B8F000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.351711715.0000000007AA7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000003.327034751.000000000533B000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.339252363.0000000004D7F000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.342461886.0000000005253000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.483639790.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.491386366.0000000004223000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.491745715.00000000043D6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.492065013.000000000456E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 1048, type: MEMORY
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3c02de1.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4577f69.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42f2c6a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.456eb0a.23.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.495585675.00000000065F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.495314337.00000000065A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.495206933.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.495261079.0000000006590000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.495369457.00000000065B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.495737204.0000000006630000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.495530552.00000000065E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.495151540.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.493841988.0000000005430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.489186804.00000000030DC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.495415659.00000000065C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.491386366.0000000004223000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.491745715.00000000043D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.492065013.000000000456E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.495101158.0000000006560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 1048, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 1048, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6560000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.65c0000.38.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.65e0000.39.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.44df817.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.6590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.65f4c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.65a0000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.44e8646.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.30e86dc.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.30e86dc.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.65a0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.65e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.2c9e150.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.2c9e150.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6570000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.30f4968.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6630000.43.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6630000.43.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6570000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.65b0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.65b0000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.44f6a76.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.2bdca0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.44f6a76.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.65c0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.2c9e150.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.44df817.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.44df817.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.44e8646.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6530000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6530000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6580000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.30e86dc.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.6580000.34.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.65fe8a4.41.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.5430000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.65f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.65f0000.40.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.3c02de1.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.30f4968.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.30f4968.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.3108fe8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.4577f69.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.2cb27c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.2cb27c0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.42f2c6a.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.42f2c6a.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.#RFQ ORDER484475577797.exe.456eb0a.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: #RFQ ORDER484475577797.exe
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0249C2B0
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_02499970
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08720040
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08720C48
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08721540
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08722DA8
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08721E60
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0872F658
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08725078
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08720011
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0872C0F0
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_087260E2
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_087260E8
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08723890
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08725088
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08729160
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0872915A
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0872A128
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08723220
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08725338
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08725328
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08728388
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08722C31
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08720C39
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08723C90
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08725530
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08721530
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08725520
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08724E68
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08721E50
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08724E59
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0872A638
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08720F78
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_08720F6A
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_087297F0
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0872C7F0
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_087247E0
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_087297EB
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_087247D1
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0E45AFA0
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0E45B870
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0E45D0B8
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0E45AC58
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0E4511F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0496CCF0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0496E898
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0496E888
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04968BB8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04968BA8
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 10_2_00EFE480
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 10_2_00EFE471
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 10_2_00EFBBD4
    Source: #RFQ ORDER484475577797.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: LNSXWuepjsOA.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.253119712.0000000008690000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.253999898.000000000E100000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.251898184.00000000070A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.251898184.00000000070A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 00000000.00000000.197575644.0000000000232000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGuidStyles.exe. vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000000.224208433.00000000008B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGuidStyles.exe. vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.479220342.0000000000F98000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.480203396.0000000001090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exeBinary or memory string: OriginalFilenameGuidStyles.exe. vs #RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.495585675.00000000065F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495585675.00000000065F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.495314337.00000000065A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495314337.00000000065A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.495206933.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495206933.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.495261079.0000000006590000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495261079.0000000006590000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.495369457.00000000065B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495369457.00000000065B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.495737204.0000000006630000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495737204.0000000006630000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.495530552.00000000065E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495530552.00000000065E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.495151540.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495151540.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.493841988.0000000005430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.493841988.0000000005430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.489186804.00000000030DC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.495415659.00000000065C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495415659.00000000065C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.491386366.0000000004223000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.491745715.00000000043D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.492065013.000000000456E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000A.00000002.495101158.0000000006560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000A.00000002.495101158.0000000006560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 1048, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 1048, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6560000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6560000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.65c0000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65c0000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.65e0000.39.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65e0000.39.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.44df817.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.44df817.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.6590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.65f4c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65f4c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.65a0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65a0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.44e8646.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.44e8646.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.30e86dc.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.30e86dc.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.30e86dc.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.65a0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65a0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.65e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.2c9e150.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.2c9e150.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.2c9e150.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6570000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6570000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.30f4968.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.30f4968.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6630000.43.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6630000.43.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6630000.43.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6630000.43.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6570000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6570000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.65b0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65b0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.65b0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65b0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.44f6a76.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.44f6a76.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.2bdca0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.2bdca0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.44f6a76.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.44f6a76.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.65c0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65c0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.2c9e150.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.2c9e150.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.44df817.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.44df817.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.44df817.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.44e8646.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.44e8646.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6530000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6530000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6530000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6530000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6580000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6580000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.30e86dc.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.30e86dc.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.6580000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.6580000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.65fe8a4.41.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65fe8a4.41.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.5430000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.5430000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.65f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.65f0000.40.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.65f0000.40.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.3c02de1.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.3c02de1.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.30f4968.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.30f4968.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.30f4968.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.3108fe8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.3108fe8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.4577f69.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.2cb27c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.2cb27c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.2cb27c0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.2c91ed4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.42f2c6a.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.42f2c6a.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 10.2.#RFQ ORDER484475577797.exe.456eb0a.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: #RFQ ORDER484475577797.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: LNSXWuepjsOA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@0/1
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeFile created: C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exeJump to behavior
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeMutant created: \Sessions\1\BaseNamedObjects\qbdgyRy
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{44a4f7d4-4e07-4399-aab5-6ba6b60e5392}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_01
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5439.tmpJump to behavior
    Source: #RFQ ORDER484475577797.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
    Source: #RFQ ORDER484475577797.exeString found in binary or memory: <!--StartFragment -->
    Source: #RFQ ORDER484475577797.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
    Source: #RFQ ORDER484475577797.exeString found in binary or memory: <!--StartFragment -->
    Source: #RFQ ORDER484475577797.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
    Source: #RFQ ORDER484475577797.exeString found in binary or memory: <<<<<<<3+<!--StartFragment -->
    Source: #RFQ ORDER484475577797.exeString found in binary or memory: %0{0}d;-start_number {0} -i "{1}{2}"
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeFile read: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe'
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LNSXWuepjsOA' /XML 'C:\Users\user\AppData\Local\Temp\tmp5439.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LNSXWuepjsOA' /XML 'C:\Users\user\AppData\Local\Temp\tmp5439.tmp'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: #RFQ ORDER484475577797.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: #RFQ ORDER484475577797.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: #RFQ ORDER484475577797.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: mscorlib.pdbC source: #RFQ ORDER484475577797.exe, 0000000A.00000003.375988604.000000000103C000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb*??>' source: #RFQ ORDER484475577797.exe, 0000000A.00000003.375937251.000000000102F000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.480095177.000000000105C000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000003.375937251.000000000102F000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.479561466.0000000000FC3000.00000004.00000020.sdmp
    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\zUFaivyCht\src\obj\x86\Debug\GuidStyles.pdb source: #RFQ ORDER484475577797.exe
    Source: Binary string: System.pdbd6R source: #RFQ ORDER484475577797.exe, 0000000A.00000003.292891816.0000000001054000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.479922631.000000000103C000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Windows\System.pdbF` source: #RFQ ORDER484475577797.exe, 0000000A.00000002.479561466.0000000000FC3000.00000004.00000020.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_00176946 push es; iretd
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_001769E6 push es; iretd
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 0_2_0E451E39 push cs; retf
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 10_2_007F69E6 push es; iretd
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeCode function: 10_2_007F6946 push es; iretd
    Source: initial sampleStatic PE information: section name: .text entropy: 7.61659853966
    Source: initial sampleStatic PE information: section name: .text entropy: 7.61659853966
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeFile created: C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LNSXWuepjsOA' /XML 'C:\Users\user\AppData\Local\Temp\tmp5439.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeFile opened: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe:Zone.Identifier read attributes | delete
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM3Show sources
    Source: Yara matchFile source: 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 4364, type: MEMORY
    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6445
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1246
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5640
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1592
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4979
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1975
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeWindow / User API: threadDelayed 4133
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeWindow / User API: threadDelayed 5415
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeWindow / User API: foregroundWindowGot 865
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe TID: 492Thread sleep time: -104116s >= -30000s
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe TID: 5504Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4920Thread sleep time: -11068046444225724s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3160Thread sleep count: 5640 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 592Thread sleep count: 1592 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6288Thread sleep count: 60 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1956Thread sleep time: -1844674407370954s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6156Thread sleep count: 4979 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6284Thread sleep count: 1975 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6372Thread sleep count: 70 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4804Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe TID: 6524Thread sleep time: -13835058055282155s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeThread delayed: delay time: 104116
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeThread delayed: delay time: 922337203685477
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.228886588.000000000074C000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: powershell.exe, 00000002.00000003.332663441.00000000051A3000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.339892232.0000000004EB3000.00000004.00000001.sdmpBinary or memory string: Hyper-V
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.480203396.0000000001090000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.228886588.000000000074C000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareLKWLNTHXWin32_VideoControllerY3LRXGNHVideoController120060621000000.000000-000.17.7471display.infMSBDAPHWEDR9KPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVATRW578
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.480203396.0000000001090000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.480203396.0000000001090000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: #RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000003.375937251.000000000102F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: powershell.exe, 00000002.00000003.332663441.00000000051A3000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.339892232.0000000004EB3000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.480203396.0000000001090000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Adds a directory exclusion to Windows DefenderShow sources
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeMemory written: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LNSXWuepjsOA' /XML 'C:\Users\user\AppData\Local\Temp\tmp5439.tmp'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeProcess created: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.494744634.00000000061AC000.00000004.00000001.sdmpBinary or memory string: Program Manager0U
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.485887158.0000000002D81000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.482729077.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.482729077.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.485362055.0000000002D1D000.00000004.00000001.sdmpBinary or memory string: Program Managerp
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.496240883.0000000006A4A000.00000004.00000001.sdmpBinary or memory string: lProgram Manager0
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpBinary or memory string: Program Managerd+
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.482729077.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.485887158.0000000002D81000.00000004.00000001.sdmpBinary or memory string: Program Manager|$"
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Users\user\Desktop\#RFQ ORDER484475577797.exe VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\#RFQ ORDER484475577797.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.483639790.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.491386366.0000000004223000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.491745715.00000000043D6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.492065013.000000000456E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 1048, type: MEMORY
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3c02de1.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4577f69.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42f2c6a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.456eb0a.23.raw.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: #RFQ ORDER484475577797.exe, 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.483639790.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.491386366.0000000004223000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.491745715.00000000043D6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.492065013.000000000456E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: #RFQ ORDER484475577797.exe PID: 1048, type: MEMORY
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e14629.29.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.0.#RFQ ORDER484475577797.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43db548.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.#RFQ ORDER484475577797.exe.3742670.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.5e10000.30.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bf9982.11.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42de63d.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3bfe7b8.10.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.0.#RFQ ORDER484475577797.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.3c02de1.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43d6712.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4577f69.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42d2409.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.4573940.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.42f2c6a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.43dfb71.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.#RFQ ORDER484475577797.exe.456eb0a.23.raw.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScheduled Task/Job1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 431672 Sample: #RFQ ORDER484475577797.exe Startdate: 09/06/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 11 other signatures 2->44 7 #RFQ ORDER484475577797.exe 7 2->7         started        process3 file4 30 C:\Users\user\AppData\...\LNSXWuepjsOA.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmp5439.tmp, XML 7->32 dropped 46 Adds a directory exclusion to Windows Defender 7->46 48 Injects a PE file into a foreign processes 7->48 11 #RFQ ORDER484475577797.exe 7->11         started        16 powershell.exe 24 7->16         started        18 powershell.exe 24 7->18         started        20 2 other processes 7->20 signatures5 process6 dnsIp7 36 194.5.98.120, 1604, 49724, 49725 DANILENKODE Netherlands 11->36 34 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 11->34 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->50 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        file8 signatures9 process10

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe4%ReversingLabsWin32.Trojan.GenericML

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    10.2.#RFQ ORDER484475577797.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    10.0.#RFQ ORDER484475577797.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    10.2.#RFQ ORDER484475577797.exe.5e10000.30.unpack100%AviraTR/NanoCore.fadteDownload File
    10.0.#RFQ ORDER484475577797.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.microsoft.co0%URL Reputationsafe
    http://www.microsoft.co0%URL Reputationsafe
    http://www.microsoft.co0%URL Reputationsafe
    http://www.microsoft.co0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/siv0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/40%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.fontbureau.comI.TTFu0%Avira URL Cloudsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.founder.com.cn/cnht0%URL Reputationsafe
    http://www.founder.com.cn/cnht0%URL Reputationsafe
    http://www.founder.com.cn/cnht0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/uet;0%Avira URL Cloudsafe
    http://www.fontbureau.comasv0%Avira URL Cloudsafe
    http://www.fontbureau.com40%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/j0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htmJ0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
    http://www.fontbureau.com;0%Avira URL Cloudsafe
    http://www.sajatypeworks.com_0%Avira URL Cloudsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.de0%URL Reputationsafe
    http://www.urwpp.de0%URL Reputationsafe
    http://www.urwpp.de0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fonts.comic)0%Avira URL Cloudsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
    194.5.98.1200%Avira URL Cloudsafe
    http://www.fontbureau.comica0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    joseedward5001.ddns.net0%Avira URL Cloudsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    194.5.98.120true
    • Avira URL Cloud: safe
    		unknown
    joseedward5001.ddns.nettrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.fontbureau.com/designersG#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
      		high
      http://www.fontbureau.com/designers/?#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
        		high
        http://www.founder.com.cn/cn/bThe#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers?#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
          		high
          http://www.microsoft.copowershell.exe, 00000002.00000003.350811381.0000000009493000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.256253921.000000000745C000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.tiro.com#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.jiyu-kobo.co.jp/siv#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
            		high
            http://www.jiyu-kobo.co.jp/jp/4#RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.goodfont.co.kr#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css#RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/ce#RFQ ORDER484475577797.exe, 00000000.00000003.205031179.000000000561E000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.comI.TTFu#RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sajatypeworks.com#RFQ ORDER484475577797.exe, 00000000.00000003.199978541.00000000055E3000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnht#RFQ ORDER484475577797.exe, 00000000.00000003.202192893.00000000055ED000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.typography.netD#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cThe#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htm#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://fontfabrik.com#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/4#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/uet;#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comasv#RFQ ORDER484475577797.exe, 00000000.00000003.224915984.00000000055E0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com4#RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/j#RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPlease#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmJ#RFQ ORDER484475577797.exe, 00000000.00000003.206661212.00000000055F3000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/)#RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/Y0#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com;#RFQ ORDER484475577797.exe, 00000000.00000003.224915984.00000000055E0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.sajatypeworks.com_#RFQ ORDER484475577797.exe, 00000000.00000003.199978541.00000000055E3000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.fonts.com#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.sandoll.co.kr#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPlease#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.de#RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cn#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name#RFQ ORDER484475577797.exe, 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.381527007.0000000004981000.00000004.00000001.sdmpfalse
                    		high
                    http://www.sakkal.com#RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.galapagosdesign.com/#RFQ ORDER484475577797.exe, 00000000.00000003.206661212.00000000055F3000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comF#RFQ ORDER484475577797.exe, 00000000.00000003.224915984.00000000055E0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.comic)#RFQ ORDER484475577797.exe, 00000000.00000003.200581068.00000000055FB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000003.333673161.0000000007B8F000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.351711715.0000000007AA7000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000003.333673161.0000000007B8F000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.396636071.0000000007A98000.00000004.00000001.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000002.00000003.327034751.000000000533B000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.339252363.0000000004D7F000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.342461886.0000000005253000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/P#RFQ ORDER484475577797.exe, 00000000.00000003.204321884.00000000055E5000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/N#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comica#RFQ ORDER484475577797.exe, 00000000.00000003.224915984.00000000055E0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comd#RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000003.333673161.0000000007B8F000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.351711715.0000000007AA7000.00000004.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.coml#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/#RFQ ORDER484475577797.exe, 00000000.00000003.202513228.00000000055E8000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlN#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn#RFQ ORDER484475577797.exe, 00000000.00000003.202378192.00000000055E7000.00000004.00000001.sdmp, #RFQ ORDER484475577797.exe, 00000000.00000003.202695742.00000000055E6000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.html#RFQ ORDER484475577797.exe, 00000000.00000003.205395467.00000000055F9000.00000004.00000001.sdmp, #RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/u#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/het#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/o#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/)#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn3#RFQ ORDER484475577797.exe, 00000000.00000003.202378192.00000000055E7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn4#RFQ ORDER484475577797.exe, 00000000.00000003.202513228.00000000055E8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers8#RFQ ORDER484475577797.exe, 00000000.00000002.249815358.00000000067F2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/j#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comals#RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/Y0pP#RFQ ORDER484475577797.exe, 00000000.00000003.203771830.00000000055E5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comsief#RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comitud#RFQ ORDER484475577797.exe, 00000000.00000003.205873226.00000000055E5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  194.5.98.120
                                  		unknownNetherlands
                                  		208476DANILENKODEtrue

                                  General Information

                                  Joe Sandbox Version:32.0.0 Black Diamond
                                  Analysis ID:431672
                                  Start date:09.06.2021
                                  Start time:06:00:18
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 10m 51s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:#RFQ ORDER484475577797.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:33
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@15/21@0/1
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                  • Quality average: 43.8%
                                  • Quality standard deviation: 34.6%
                                  HCA Information:
                                  • Successful, ratio: 96%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • TCP Packets have been reduced to 100
                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing network information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  06:01:10API Interceptor968x Sleep call for process: #RFQ ORDER484475577797.exe modified
                                  06:01:50API Interceptor97x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  194.5.98.120Purchase_Order_Form_4667ROO3.exeGet hashmaliciousBrowse
                                    IMG-06-05-345678909876543.exeGet hashmaliciousBrowse

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      DANILENKODEb6yzWugw8V.exeGet hashmaliciousBrowse
                                      • 194.5.98.107
                                      0041#Receipt.pif.exeGet hashmaliciousBrowse
                                      • 194.5.98.180
                                      j07ghiByDq.exeGet hashmaliciousBrowse
                                      • 194.5.97.146
                                      j07ghiByDq.exeGet hashmaliciousBrowse
                                      • 194.5.97.146
                                      PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                      • 194.5.97.18
                                      SecuriteInfo.com.Trojan.PackedNET.820.24493.exeGet hashmaliciousBrowse
                                      • 194.5.97.61
                                      DHL_file.exeGet hashmaliciousBrowse
                                      • 194.5.98.145
                                      BBS FX.xlsxGet hashmaliciousBrowse
                                      • 194.5.97.61
                                      GpnPv433gb.exeGet hashmaliciousBrowse
                                      • 194.5.98.11
                                      Kj7tTd1Zimp0ciI.exeGet hashmaliciousBrowse
                                      • 194.5.97.197
                                      Resume.exeGet hashmaliciousBrowse
                                      • 194.5.98.8
                                      SecuriteInfo.com.Trojan.DownLoader39.38629.28832.exeGet hashmaliciousBrowse
                                      • 194.5.98.145
                                      SecuriteInfo.com.Variant.Razy.840898.18291.exeGet hashmaliciousBrowse
                                      • 194.5.98.144
                                      8LtwhjD2Qm.exeGet hashmaliciousBrowse
                                      • 194.5.98.107
                                      Receiptn.exeGet hashmaliciousBrowse
                                      • 194.5.98.180
                                      soa5.exeGet hashmaliciousBrowse
                                      • 194.5.98.48
                                      soa5.exeGet hashmaliciousBrowse
                                      • 194.5.98.48
                                      68Aj4oxPok.exeGet hashmaliciousBrowse
                                      • 194.5.98.144
                                      Ysur2E8xPs.exeGet hashmaliciousBrowse
                                      • 194.5.97.61
                                      HI4B6mZPHx.exeGet hashmaliciousBrowse
                                      • 194.5.98.55

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#RFQ ORDER484475577797.exe.log
                                      Process:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):1406
                                      Entropy (8bit):5.341099307467139
                                      Encrypted:false
                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                      MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                      SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                      SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                      SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):14734
                                      Entropy (8bit):4.993014478972177
                                      Encrypted:false
                                      SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                      MD5:8D5E194411E038C060288366D6766D3D
                                      SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                      SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                      SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):22432
                                      Entropy (8bit):5.601026317548112
                                      Encrypted:false
                                      SSDEEP:384:BtCDFL9zhSggIRkGnTnRel4KnOsIiP7Y9gFSJUeRe1BMrmKZ1AV7nD2He64I+qzg:KkG+4KOsdrFXeNT4e4V
                                      MD5:D441FECFBC90075FAD33775038F0095C
                                      SHA1:55927F378AE17EC0A7DF2DDAE83D7848FB2F041B
                                      SHA-256:293AC01B9F1A15C9CCE0E416EE3DF851C39475E82DE6014A22847EB21BF28068
                                      SHA-512:027A8FFD08983312AB767AE0537D800E890ECB4F71423231AE98A487D3A38526455C9B3FB6945421A3830AA5C1DE484AF3A8E961845B6DE104A0CEC780EC534C
                                      Malicious:false
                                      Reputation:low
                                      Preview: @...e...................................X............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tg0nxmy.vv5.psm1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4oghqwf.k1g.ps1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjifbzqp.is4.psm1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugjy2ffl.kar.ps1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xagkqtsl.tds.ps1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpenzzls.5ci.psm1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\tmp5439.tmp
                                      Process:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1645
                                      Entropy (8bit):5.19563600381544
                                      Encrypted:false
                                      SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBatn:cbh47TlNQ//rydbz9I3YODOLNdq3+
                                      MD5:9446876F31244201872510015A7EA95E
                                      SHA1:CB825B2C983C682796CF98AAB272F0ADEC79F18D
                                      SHA-256:CD02449A4809FA4ED344985993AA17AB08E25B76F70C75B84FEC26BEFA36B8B5
                                      SHA-512:2639393CDE51B79BA31DD5666E341A14AD76DED15E169BF98A517DFDC0E34AFBD792F819D7EE1A51F6281FD482DFFF85B31929A5094CF6A84B98AC69EB90A768
                                      Malicious:true
                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                      Process:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):3480
                                      Entropy (8bit):7.024371743172393
                                      Encrypted:false
                                      SSDEEP:96:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlC0IlC0IlC0IlC0IlC0IlC0IlC0IlC08:f8L8L8L8L8L8L8L8L8L8L8L8L8L8L8r
                                      MD5:E1AFCDE67424226B8B4FC4209A77391C
                                      SHA1:B66E69ED31F39B8B0EFB652C514C43BCB42B5D28
                                      SHA-256:72826C35B0442BC1ACA3EE1C0CAA2DE87A694FC344BBF47A853082D26D6906F8
                                      SHA-512:313502CC6AF6482EF66C3CC10A65CBC60DBCF4C5EA4DA344833198902EE08996175FA60B12D05E7B5B887E08341B0468D47CD4CC578DF5D265E70CDE4F33F3D5
                                      Malicious:false
                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                      Process:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):8
                                      Entropy (8bit):3.0
                                      Encrypted:false
                                      SSDEEP:3:M:M
                                      MD5:94F847755D0DE54CF6CA9961C9C969EE
                                      SHA1:B63BC791DB5FDE76F962C652F651E4461B797BED
                                      SHA-256:071211A30D041059B4C4E674D2F22C953645E3FE5C09171202CE1B5267D36870
                                      SHA-512:957E701B2177E95E41722AAF63F5AFA480C8363681865AA0540DAD2937F48C3D74E8E0E43253EDC9AB95D8236E3110FD57961D4E6AE73EC082BFD67F5687BA3B
                                      Malicious:true
                                      Preview: .].F+.H
                                      C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe
                                      Process:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):800768
                                      Entropy (8bit):7.563112762527505
                                      Encrypted:false
                                      SSDEEP:12288:qB4w15tyPvHv4nO1eklMV40J4o9MBfpXjgp6PSPxM6Grfs768VN21zX4y8:qY4O1ekULCXgp6PSPxMtE768VN2J
                                      MD5:18E38261E8EA6AE0077C5448F809CCB6
                                      SHA1:BBFAF42987014BA9571C75D1982843D7AD7155AC
                                      SHA-256:3CB5C285D5E7F163C9764EF3E99467F5460B7F704C996FFA8E5E2982A2A86693
                                      SHA-512:8E2FFA93BFDCA6E2B4A362FA85A21963A5C7425DC37C82D0259F522289EC4CFF515DB5899C03887FC0B0F83F4947BFBB97F509C2AC0806F38EBAD2AC46B9A3FB
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 4%
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!.`..............P......N........... ... ....@.. ....................................@.................................h...O.... ..hK..........................0................................................ ............... ..H............text........ ...................... ..`.rsrc...hK... ...L..................@..@.reloc...............6..............@..B........................H...........d<..........x...."...........................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....oS...('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*..(3...*6..o4...(5...*&...o6...*.0..............,...+...(7...s8.....*&..(3....*.
                                      C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe:Zone.Identifier
                                      Process:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:false
                                      Preview: [ZoneTransfer]....ZoneId=0
                                      C:\Users\user\Documents\20210609\PowerShell_transcript.138727.QzgMIEIQ.20210609060115.txt
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):5797
                                      Entropy (8bit):5.415713008653414
                                      Encrypted:false
                                      SSDEEP:96:BZ+hENktqDo1ZzZ3PhENktqDo1ZddsWUjZrhENktqDo1Z7BEEFZy:S
                                      MD5:CA824DEAD6121491D79217A2C39FD399
                                      SHA1:73BCD105A1A14FCF1C1A4EDC38D649DA14D553AC
                                      SHA-256:43ECA14E267592783142ED5926C122025770383F743E346BD2D9D64AEA5A87EF
                                      SHA-512:4B1EC19081DAAB57743D001801B43ECD5A7D4CA74750C448B5853D577E49C065EE64F05637221BCE1F489A0B080B7EE86E119B39FD32C0A5340728E41837D165
                                      Malicious:false
                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210609060141..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe..Process ID: 6052..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210609060141..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe..**********************..Windows PowerShell transcript start..Start time: 20210609060805..Username: computer\user..RunAs User: computer\
                                      C:\Users\user\Documents\20210609\PowerShell_transcript.138727.X6ZuAXXc.20210609060117.txt
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):5797
                                      Entropy (8bit):5.417979553216565
                                      Encrypted:false
                                      SSDEEP:96:BZ4hENmyqDo1Z4ZlhENmyqDo1ZxsWUjZ/hENmyqDo1ZkBEEhZa:oFz2
                                      MD5:5A7AD0849A4D8940ECB0224D99ED685F
                                      SHA1:BEFB48FDC96A6843CFDBEAB178B4ABAFF24440CF
                                      SHA-256:FDF27A85345399236C5F8069C8071016A0FCA637B4FBAFB49D1F88DCE305A73A
                                      SHA-512:0E0765D188913C6A020A32490E71621DE1B43820F5701D30DA838F6456EF5D448F862F1F958DFAE9A836D1CBDE503162A322015E6887035E5D1C14600F9050AF
                                      Malicious:false
                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210609060143..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe..Process ID: 3292..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210609060144..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe..**********************..Windows PowerShell transcript start..Start time: 20210609060656..Username: computer\user..RunAs User: computer\
                                      C:\Users\user\Documents\20210609\PowerShell_transcript.138727.sxkKCi0R.20210609060114.txt
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3587
                                      Entropy (8bit):5.41331628562482
                                      Encrypted:false
                                      SSDEEP:96:BZahENfeqDo1ZlOhZchENfeqDo1ZWqHBW0cBW0cBW0UZn:nk2GWFWFWl
                                      MD5:5CA658B9BC39C8A62F3C84EDB61C78AA
                                      SHA1:4975C9EC7BD674BEF41B9B330E4419DCCD4C4A94
                                      SHA-256:D444FE345A5D102C2962A23E9DB454FE43FC90945C5F16EA144961C549B445CA
                                      SHA-512:E95C7BD3A3982E643E6752D954905B17CCE040EA64C8C6581DF9F53B64ECD87BE194BE3ABE31A98C9E8F5A9F2B6F102F770817C9C1B303588F8082FF4D7EE602
                                      Malicious:false
                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210609060134..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#RFQ ORDER484475577797.exe..Process ID: 5616..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210609060135..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\#RFQ ORDER484475577797.exe..**********************..Command start time: 20210609060424..**********************..PS>TerminatingError(Add-MpPreference): "A positional parameter

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.563112762527505
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:#RFQ ORDER484475577797.exe
                                      File size:800768
                                      MD5:18e38261e8ea6ae0077c5448f809ccb6
                                      SHA1:bbfaf42987014ba9571c75d1982843d7ad7155ac
                                      SHA256:3cb5c285d5e7f163c9764ef3e99467f5460b7f704c996ffa8e5e2982a2a86693
                                      SHA512:8e2ffa93bfdca6e2b4a362fa85a21963a5c7425dc37c82d0259f522289ec4cff515db5899c03887fc0b0f83f4947bfbb97f509c2ac0806f38ebad2ac46b9a3fb
                                      SSDEEP:12288:qB4w15tyPvHv4nO1eklMV40J4o9MBfpXjgp6PSPxM6Grfs768VN21zX4y8:qY4O1ekULCXgp6PSPxMtE768VN2J
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!.`..............P......N........... ... ....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:b6f8c8dccce06110

                                      Static PE Info

                                      General

                                      Entrypoint:0x4c07ba
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x60C021FC [Wed Jun 9 02:05:48 2021 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc07680x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x4b68.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xc06300x1c.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xbe7c00xbe800False0.817270033629data7.61659853966IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rsrc0xc20000x4b680x4c00False0.469161184211data4.53099175809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xc80000xc0x200False0.041015625data0.0776331623432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0xc21600x25a8dBase III DBT, version number 0, next free block index 40
                                      RT_ICON0xc47180x10a8data
                                      RT_ICON0xc57d00x988dBase III DBT, version number 0, next free block index 40
                                      RT_ICON0xc61680x468GLS_BINARY_LSB_FIRST
                                      RT_GROUP_ICON0xc65e00x3edata
                                      RT_VERSION0xc66300x338data
                                      RT_MANIFEST0xc69780x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      LegalCopyrightCopyright Kanal 2 2012
                                      Assembly Version2.0.0.0
                                      InternalNameGuidStyles.exe
                                      FileVersion2.0.0.0
                                      CompanyNameKanal 2
                                      LegalTrademarks
                                      Comments
                                      ProductNameeg2012
                                      ProductVersion2.0.0.0
                                      FileDescriptioneg2012
                                      OriginalFilenameGuidStyles.exe

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jun 9, 2021 06:01:23.657923937 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:23.909126043 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:23.910470009 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:24.001805067 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:24.272228956 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:24.289108038 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:24.544272900 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:24.586102962 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:24.597913027 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:24.904112101 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:24.904311895 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:24.922751904 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:24.923223019 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:24.923409939 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:24.924278021 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:24.924470901 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:24.925234079 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:24.925379038 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.201769114 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.201817036 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.201967001 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.202028036 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.202506065 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.202531099 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.202605009 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.204250097 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.204279900 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.204344034 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.206068993 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.481287003 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.481332064 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.481389046 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.481440067 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.482259989 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.482340097 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.483195066 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.483230114 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.483298063 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.485656977 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.485688925 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.485765934 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.485794067 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.486406088 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.486483097 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.487308025 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.487389088 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.491221905 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.505601883 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.505738974 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.505923033 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.507271051 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.509533882 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.509803057 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.587065935 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.753612995 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.753657103 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.753766060 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.755264044 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.755295038 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.755381107 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.756509066 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.756591082 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.757268906 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.757353067 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.759304047 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.759335995 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.759421110 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.761343956 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.761426926 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.763221025 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.763252974 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.763333082 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.765229940 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.765261889 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.765300035 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.765362978 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.787883043 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.788768053 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802500963 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802546024 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802592039 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802623034 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802659988 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802664995 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802691936 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802705050 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802711964 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802711964 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802759886 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802798033 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802803040 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802829981 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802845001 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802881002 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802891016 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802905083 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802938938 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.802947044 CEST497241604192.168.2.3194.5.98.120
                                      Jun 9, 2021 06:01:25.802983999 CEST160449724194.5.98.120192.168.2.3
                                      Jun 9, 2021 06:01:25.803004026 CEST497241604192.168.2.3194.5.98.120

                                      Code Manipulations

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: #RFQ ORDER484475577797.exe PID: 4364 Parent PID: 5700

                                      General

                                      Start time:06:01:03
                                      Start date:09/06/2021
                                      Path:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe'
                                      Imagebase:0x170000
                                      File size:800768 bytes
                                      MD5 hash:18E38261E8EA6AE0077C5448F809CCB6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.234685013.0000000002611000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.237223638.0000000003611000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      Reputation:low

                                      Analysis Process: powershell.exe PID: 5616 Parent PID: 4364

                                      General

                                      Start time:06:01:12
                                      Start date:09/06/2021
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#RFQ ORDER484475577797.exe'
                                      Imagebase:0xf30000
                                      File size:430592 bytes
                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 4884 Parent PID: 5616

                                      General

                                      Start time:06:01:12
                                      Start date:09/06/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6b2800000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: powershell.exe PID: 6052 Parent PID: 4364

                                      General

                                      Start time:06:01:13
                                      Start date:09/06/2021
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
                                      Imagebase:0xf30000
                                      File size:430592 bytes
                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 5460 Parent PID: 6052

                                      General

                                      Start time:06:01:13
                                      Start date:09/06/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6741d0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: schtasks.exe PID: 5728 Parent PID: 4364

                                      General

                                      Start time:06:01:13
                                      Start date:09/06/2021
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LNSXWuepjsOA' /XML 'C:\Users\user\AppData\Local\Temp\tmp5439.tmp'
                                      Imagebase:0x60000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 5916 Parent PID: 5728

                                      General

                                      Start time:06:01:14
                                      Start date:09/06/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6b2800000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: powershell.exe PID: 3292 Parent PID: 4364

                                      General

                                      Start time:06:01:14
                                      Start date:09/06/2021
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LNSXWuepjsOA.exe'
                                      Imagebase:0xf30000
                                      File size:430592 bytes
                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 1968 Parent PID: 3292

                                      General

                                      Start time:06:01:15
                                      Start date:09/06/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6b2800000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: #RFQ ORDER484475577797.exe PID: 1048 Parent PID: 4364

                                      General

                                      Start time:06:01:15
                                      Start date:09/06/2021
                                      Path:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\#RFQ ORDER484475577797.exe
                                      Imagebase:0x7f0000
                                      File size:800768 bytes
                                      MD5 hash:18E38261E8EA6AE0077C5448F809CCB6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.494989235.0000000006530000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.491944391.0000000004483000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.484331798.0000000002C1C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495585675.00000000065F0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495585675.00000000065F0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.222827759.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495314337.00000000065A0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495314337.00000000065A0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495206933.0000000006580000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495206933.0000000006580000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495261079.0000000006590000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495261079.0000000006590000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495369457.00000000065B0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495369457.00000000065B0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.483639790.0000000002BB1000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495737204.0000000006630000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495737204.0000000006630000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.223631637.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495530552.00000000065E0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495530552.00000000065E0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495151540.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495151540.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.493841988.0000000005430000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.493841988.0000000005430000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.489457795.0000000003BF9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.489186804.00000000030DC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.467232540.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495415659.00000000065C0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495415659.00000000065C0000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.494542186.0000000005E10000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.491386366.0000000004223000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.491386366.0000000004223000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.491745715.00000000043D6000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.491745715.00000000043D6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.492065013.000000000456E000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.492065013.000000000456E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.495101158.0000000006560000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.495101158.0000000006560000.00000004.00000001.sdmp, Author: Florian Roth
                                      Reputation:low

                                      Disassembly

                                      Code Analysis

                                      Reset < >