Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report wlCqbMRJ7p.exe

Overview

General Information

Sample Name:wlCqbMRJ7p.exe
Analysis ID:432310
MD5:ea153fc5dbc16bcb6987db3d8ad0e965
SHA1:a0a0e9b0c8fe4c1ced411ff302871a5d71885fc0
SHA256:8a6a233b22f5c0c2a2f69d9f5250796993d350373ab030558d4912e0b2c7a884
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wlCqbMRJ7p.exe (PID: 7068 cmdline: 'C:\Users\user\Desktop\wlCqbMRJ7p.exe' MD5: EA153FC5DBC16BCB6987DB3D8AD0E965)
    • powershell.exe (PID: 3980 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1472 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4788 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp3309.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5744 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wlCqbMRJ7p.exe (PID: 4824 cmdline: C:\Users\user\Desktop\wlCqbMRJ7p.exe MD5: EA153FC5DBC16BCB6987DB3D8AD0E965)
  • dhcpmon.exe (PID: 4832 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EA153FC5DBC16BCB6987DB3D8AD0E965)
    • powershell.exe (PID: 5948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 2460 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp9713.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4484 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7100 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: EA153FC5DBC16BCB6987DB3D8AD0E965)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "97664809-6e2a-4645-9b6f-0ca411fc", "Group": "fingers", "Domain1": "redvelvet.ddns.net", "Domain2": "127.0.0.1", "Port": 8282, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
wlCqbMRJ7p.exeMAL_CRIME_suspicious_hex_string_Jun21_1Triggers on parts of a big hex string available in lots of crime\'ish PE files.Nils Kuhnert
  • 0x280b6:$a1: 07032114130C0812141104170C0412147F6A6A0C041F321104130C0412141104030C0412141104130C0412141104130C0412141104130C0412141104130C0412141104130C0412141104130C0412141122130C0412146423272A711221112B1C042734170408622513143D20262B0F323038692B312003271C170B3A2F286623340610241F001729210579223202642200087C071C17742417020620141462060F12141104130C0412141214001C0412011100160C0C002D2412130C0412141104130C04121A11041324001F140122130C0134171

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exeMAL_CRIME_suspicious_hex_string_Jun21_1Triggers on parts of a big hex string available in lots of crime\'ish PE files.Nils Kuhnert
  • 0x280b6:$a1: 07032114130C0812141104170C0412147F6A6A0C041F321104130C0412141104030C0412141104130C0412141104130C0412141104130C0412141104130C0412141104130C0412141104130C0412141122130C0412146423272A711221112B1C042734170408622513143D20262B0F323038692B312003271C170B3A2F286623340610241F001729210579223202642200087C071C17742417020620141462060F12141104130C0412141214001C0412011100160C0C002D2412130C0412141104130C04121A11041324001F140122130C0134171
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMAL_CRIME_suspicious_hex_string_Jun21_1Triggers on parts of a big hex string available in lots of crime\'ish PE files.Nils Kuhnert
  • 0x280b6:$a1: 07032114130C0812141104170C0412147F6A6A0C041F321104130C0412141104030C0412141104130C0412141104130C0412141104130C0412141104130C0412141104130C0412141104130C0412141122130C0412146423272A711221112B1C042734170408622513143D20262B0F323038692B312003271C170B3A2F286623340610241F001729210579223202642200087C071C17742417020620141462060F12141104130C0412141214001C0412011100160C0C002D2412130C0412141104130C04121A11041324001F140122130C0134171

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b99:$x1: NanoCore.ClientPluginHost
  • 0x5bb3:$x2: IClientNetworkHost
0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b99:$x2: NanoCore.ClientPluginHost
  • 0x6bce:$s4: PipeCreated
  • 0x5b86:$s5: IClientLoggingHost
00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    Click to see the 72 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    14.2.dhcpmon.exe.3bde9a8.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x429ad:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x429ea:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    14.2.dhcpmon.exe.3bde9a8.1.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x42725:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x429ad:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x43fe6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x43fda:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x44e8b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x4ac42:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    • 0x429d7:$s5: IClientLoggingHost
    14.2.dhcpmon.exe.3bde9a8.1.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      14.2.dhcpmon.exe.3bde9a8.1.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0x42715:$a: NanoCore
      • 0x42725:$a: NanoCore
      • 0x42959:$a: NanoCore
      • 0x4296d:$a: NanoCore
      • 0x429ad:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x42774:$b: ClientPlugin
      • 0x42976:$b: ClientPlugin
      • 0x429b6:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x4289b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x432a2:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      23.2.dhcpmon.exe.2bd3ac8.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      Click to see the 166 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wlCqbMRJ7p.exe, ProcessId: 4824, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wlCqbMRJ7p.exe, ProcessId: 4824, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\wlCqbMRJ7p.exe' , ParentImage: C:\Users\user\Desktop\wlCqbMRJ7p.exe, ParentProcessId: 7068, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe', ProcessId: 3980

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wlCqbMRJ7p.exe, ProcessId: 4824, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wlCqbMRJ7p.exe, ProcessId: 4824, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97664809-6e2a-4645-9b6f-0ca411fc", "Group": "fingers", "Domain1": "redvelvet.ddns.net", "Domain2": "127.0.0.1", "Port": 8282, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "37.235.1.177"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 12%
      Source: C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exeReversingLabs: Detection: 12%
      Multi AV Scanner detection for submitted fileShow sources
      Source: wlCqbMRJ7p.exeVirustotal: Detection: 42%Perma Link
      Source: wlCqbMRJ7p.exeReversingLabs: Detection: 12%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.776929618.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 4824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7100, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORY
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3c02a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5580000.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3dbb529.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3af7938.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bfe434.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bfe434.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5580000.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5584629.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3a17938.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ee4f72.10.raw.unpack, type: UNPACKEDPE
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.0.dhcpmon.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.0.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 23.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 12.2.wlCqbMRJ7p.exe.5580000.19.unpackAvira: Label: TR/NanoCore.fadte
      Source: 12.0.wlCqbMRJ7p.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: wlCqbMRJ7p.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: wlCqbMRJ7p.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbind source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: indows\DateTimeStyles.pdbpdbles.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\System.pdb\W44JI source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\wpIPglXzwe\src\obj\Debug\DateTimeStyles.pdb source: wlCqbMRJ7p.exe
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\user\Desktop\DateTimeStyles.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\System.pdbSy source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb F source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp
      Source: Binary string: System.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: wlCqbMRJ7p.exe, 00000000.00000002.680864386.0000000004B50000.00000002.00000001.sdmp, wlCqbMRJ7p.exe, 0000000C.00000002.932419504.0000000005280000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.784474524.0000000004C40000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdbse source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49751 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49752 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49753 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 194.5.98.5:8282
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 194.5.98.5:8282
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: redvelvet.ddns.net
      Source: Malware configuration extractorURLs: 127.0.0.1
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: redvelvet.ddns.net
      Source: global trafficTCP traffic: 192.168.2.4:49743 -> 194.5.98.5:8282
      Source: Joe Sandbox ViewIP Address: 194.5.98.5 194.5.98.5
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_04F72AE6 WSARecv,
      Source: unknownDNS traffic detected: queries for: redvelvet.ddns.net
      Source: wlCqbMRJ7p.exeString found in binary or memory: http://127.0.0.1:61095/RestServiceImpl.svc/postJson
      Source: powershell.exe, 00000009.00000002.915812081.0000000000C6C000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.929803754.0000000008130000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: powershell.exe, 00000009.00000003.911147791.0000000009368000.00000004.00000001.sdmp, powershell.exe, 00000015.00000003.873521324.00000000081F1000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
      Source: powershell.exe, 00000009.00000003.855153597.0000000007B61000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: powershell.exe, 00000005.00000003.768948665.00000000078D0000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.789674182.0000000007B36000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000011.00000002.923874718.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000011.00000002.923627895.00000000051F1000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.922796881.0000000005051000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000011.00000002.923874718.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000005.00000003.768948665.00000000078D0000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.789674182.0000000007B36000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000009.00000003.855474816.00000000092C0000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
      Source: powershell.exe, 00000009.00000003.855153597.0000000007B61000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.coLof
      Source: wlCqbMRJ7p.exeString found in binary or memory: https://github.com/Laicure/HostsY
      Source: powershell.exe, 00000005.00000003.768948665.00000000078D0000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.789674182.0000000007B36000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000005.00000003.803651549.0000000005107000.00000004.00000001.sdmpString found in binary or memory: https://go.micro(
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.776929618.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 4824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7100, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORY
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3c02a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5580000.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3dbb529.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3af7938.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bfe434.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bfe434.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5580000.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5584629.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3a17938.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ee4f72.10.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.932808290.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.936172427.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.935698776.0000000006110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.935364932.00000000060E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.936810331.00000000061E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.924531012.0000000002DA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.931965501.0000000005110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.936525996.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.936631207.00000000061B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000002.776929618.0000000002BB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: wlCqbMRJ7p.exe PID: 4824, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: wlCqbMRJ7p.exe PID: 4824, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 7100, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 7100, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.2.dhcpmon.exe.2bd3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.60d0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.5110000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.61e0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.61a0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.6180000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.6110000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.61be8a4.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.3c02a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.5580000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.3dbb529.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.6140000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.6150000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.40ceb8e.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.2d61270.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.6130000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.40dca61.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.40d7dc2.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.61b0000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.6180000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.61b0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.61e0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.6130000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.52e0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.6150000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.3af7938.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.dhcpmon.exe.3af7938.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.5110000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.6110000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.2de1a68.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.2de1a68.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.2dd57f4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.3bfe434.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.6160000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.6160000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.3bfe434.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.60e0000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.60e0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.40ceb8e.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.2dd57f4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.2dd57f4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.5580000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.61b4c9f.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.61a0000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.5584629.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.2de1a68.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.40d7dc2.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.wlCqbMRJ7p.exe.3a17938.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.wlCqbMRJ7p.exe.3a17938.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.2df60d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.wlCqbMRJ7p.exe.2df60d0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.wlCqbMRJ7p.exe.3ee4f72.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_04F7131A NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_04F712DF NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F1460
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F4948
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F5698
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F3F40
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F4368
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F58E1
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F58F8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F3830
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F493B
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F594F
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F37E0
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F5313
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F3F2F
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F4359
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB58B0
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB1C28
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB6068
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB69A0
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB2588
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB0AB8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB9B30
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04ABE8C8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB5808
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB95A8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB95B8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB4D81
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04ABA510
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB8560
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB8570
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB9948
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB9958
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB0AA9
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04ABEE78
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB8399
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB9BEB
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB57E8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB8FE8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB8FF8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB9760
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB9770
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007CB0B8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007CB640
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007C88C0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007C9B78
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007CCDA0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007CEFA8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007C90F0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007CB0B8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007C7510
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007C7980
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007C5AA8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007C5A97
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A2E020
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A20040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A23AF1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A23AF1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A2E020
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A2E020
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A294EB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A294EB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A294EB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A23AF1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A294EB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A294EB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A23AF1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A294EB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A294EB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A23AF1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A7FC00
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CBEAE9
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_01153850
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_01158798
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_011523A0
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_01152FA8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_0115AFF8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_0115945F
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_0115306F
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_01159398
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C889F
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C32BF
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C50E0
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C5CE0
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C6588
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C5DA7
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C7BD8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C87D8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C31F8
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C25F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D4C91
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D1460
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D3F40
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D4298
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D4ED9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D4EF0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D3830
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D37E0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D4908
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D3F30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D4F47
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC58B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC1C28
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC6068
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC69A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC2588
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC0AB8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC9B30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC5808
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC95B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC95A8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC4D81
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC8528
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BCA510
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC8570
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC8560
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC9958
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC9948
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC0AA9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC8399
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC8FF8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC57E8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC8FE8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC9BEB
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC9770
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC9760
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_035F1A30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_035F2A20
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0360E3F8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_036013A0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_03602219
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0360317A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_036005D0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_03605370
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_03601390
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_03600988
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_03606DE0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0360CDF8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_03625668
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0362A5AC
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0367CD40
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_03677310
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0367CD40
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_03675AA8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0369B650
      Source: wlCqbMRJ7p.exeBinary or memory string: OriginalFilename vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 00000000.00000000.644238010.0000000000242000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeStyles.exe4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 00000000.00000002.680864386.0000000004B50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 00000000.00000003.646762567.0000000003ABA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 00000000.00000002.680277420.0000000004AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 00000000.00000002.682739655.0000000005830000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 00000000.00000002.681225355.0000000004D90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 00000000.00000002.681225355.0000000004D90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exeBinary or memory string: OriginalFilename vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.931072562.0000000004F60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.932419504.0000000005280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.932808290.00000000052E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000000.658798297.00000000005A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeStyles.exe4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.937361923.00000000065E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exeBinary or memory string: OriginalFilenameDateTimeStyles.exe4 vs wlCqbMRJ7p.exe
      Source: wlCqbMRJ7p.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: wlCqbMRJ7p.exe, type: SAMPLEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.932808290.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.932808290.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.936172427.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.936172427.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.935698776.0000000006110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.935698776.0000000006110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.935364932.00000000060E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.935364932.00000000060E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.936810331.00000000061E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.936810331.00000000061E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.924531012.0000000002DA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.931965501.0000000005110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.931965501.0000000005110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.936525996.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.936525996.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.936631207.00000000061B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.936631207.00000000061B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000002.776929618.0000000002BB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: wlCqbMRJ7p.exe PID: 4824, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: wlCqbMRJ7p.exe PID: 4824, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 7100, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 7100, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe, type: DROPPEDMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.2.dhcpmon.exe.2bd3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.2bd3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.60d0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.60d0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.5110000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.5110000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.61e0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.61e0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.61a0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.61a0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.6180000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6180000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.6110000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6110000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.61be8a4.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.61be8a4.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3c02a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3c02a5d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.0.dhcpmon.exe.540000.2.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 23.0.dhcpmon.exe.540000.4.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.2.wlCqbMRJ7p.exe.5580000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.5580000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.3dbb529.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6140000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6140000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.6150000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6150000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.40ceb8e.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.40ceb8e.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.0.dhcpmon.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.0.wlCqbMRJ7p.exe.5a0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.2.wlCqbMRJ7p.exe.2d61270.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.2d61270.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.0.wlCqbMRJ7p.exe.5a0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.2.wlCqbMRJ7p.exe.6130000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6130000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.40dca61.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.40dca61.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.40d7dc2.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.40d7dc2.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.61b0000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.61b0000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.6180000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6180000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.61b0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.61b0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.61e0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.61e0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.6130000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6130000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.52e0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.52e0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.6150000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6150000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.wlCqbMRJ7p.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 14.2.dhcpmon.exe.3af7938.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.dhcpmon.exe.3af7938.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.5110000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.5110000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.6110000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6110000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.2de1a68.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.2de1a68.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.2dd57f4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.2dd57f4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.3bfe434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3bfe434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.6160000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6160000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.6160000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.6160000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.3bfe434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3bfe434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.60e0000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.60e0000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.60e0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.60e0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.40ceb8e.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.40ceb8e.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.2dd57f4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.2dd57f4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.5580000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.5580000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.61b4c9f.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.61b4c9f.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.61a0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.61a0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.5584629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.5584629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.2de1a68.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.2de1a68.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.wlCqbMRJ7p.exe.40d7dc2.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.40d7dc2.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.540000.1.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 0.2.wlCqbMRJ7p.exe.3a17938.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.wlCqbMRJ7p.exe.3a17938.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.0.dhcpmon.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 0.0.wlCqbMRJ7p.exe.240000.0.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.2.wlCqbMRJ7p.exe.5a0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.0.wlCqbMRJ7p.exe.5a0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.2.wlCqbMRJ7p.exe.2df60d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.wlCqbMRJ7p.exe.2df60d0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.2.dhcpmon.exe.330000.0.unpack, type: UNPACKEDPEMatched rule: MAL_CRIME_suspicious_hex_string_Jun21_1 date = 2021-06-04, hash5 = 479bf3fb8cff50a5de3d3742ab4b485b563b8faf171583b1015f80522ff4853e, hash4 = 404efa6fb5a24cd8f1e88e71a1d89da0aca395f82d8251e7fe7df625cd8e80aa, hash3 = cd283d89b1b5e9d2875987025009b5cf6b137e3441d06712f49e22e963e39888, hash2 = 3380c8c56d1216fe112cbc8f1d329b59e2cd2944575fe403df5e5108ca21fc69, hash1 = 37d60eb2daea90a9ba275e16115848c95e6ad87d20e4a94ab21bd5c5875a0a34, author = Nils Kuhnert, description = Triggers on parts of a big hex string available in lots of crime\'ish PE files.
      Source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.wlCqbMRJ7p.exe.3ee4f72.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: wlCqbMRJ7p.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: gNhkpKoVomdVye.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.12.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@27/31@16/1
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_04F710DA AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_04F710A3 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile created: C:\Program Files (x86)\DHCP Monitor
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile created: C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{97664809-6e2a-4645-9b6f-0ca411fc862b}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4048:120:WilError_01
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4240:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_01
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3309.tmpJump to behavior
      Source: wlCqbMRJ7p.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
      Source: wlCqbMRJ7p.exeVirustotal: Detection: 42%
      Source: wlCqbMRJ7p.exeReversingLabs: Detection: 12%
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile read: C:\Users\user\Desktop\wlCqbMRJ7p.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\wlCqbMRJ7p.exe 'C:\Users\user\Desktop\wlCqbMRJ7p.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp3309.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Users\user\Desktop\wlCqbMRJ7p.exe C:\Users\user\Desktop\wlCqbMRJ7p.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp9713.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp3309.tmp'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Users\user\Desktop\wlCqbMRJ7p.exe C:\Users\user\Desktop\wlCqbMRJ7p.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp9713.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: wlCqbMRJ7p.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: wlCqbMRJ7p.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: wlCqbMRJ7p.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbind source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: indows\DateTimeStyles.pdbpdbles.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\System.pdb\W44JI source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\wpIPglXzwe\src\obj\Debug\DateTimeStyles.pdb source: wlCqbMRJ7p.exe
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\user\Desktop\DateTimeStyles.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\System.pdbSy source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb F source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp
      Source: Binary string: System.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: wlCqbMRJ7p.exe, 00000000.00000002.680864386.0000000004B50000.00000002.00000001.sdmp, wlCqbMRJ7p.exe, 0000000C.00000002.932419504.0000000005280000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.784474524.0000000004C40000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: wlCqbMRJ7p.exe, 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdbse source: wlCqbMRJ7p.exe, 0000000C.00000002.921004978.0000000000F25000.00000004.00000040.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_00D989CF push ecx; ret
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_02480AFB push esi; iretd
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F3459 push esp; ret
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F0872 pushfd ; retf
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F2A0C push edx; retf
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_048F2BD8 pushfd ; retn 001Ch
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04ABBCE5 push C2352FE7h; iretd
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 0_2_04AB4FE0 push edx; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_007C0FA8 push eax; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A78266 push ss; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A784C8 push FFFFFF8Bh; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00A7293C push eax; mov dword ptr [esp], edx
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CB712A push FFFFFF8Bh; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CBB245 push FFFFFF8Bh; iretd
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CB661A push FFFFFF8Bh; retf
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CB3DCF push ecx; retf 0000h
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CB3DDF push eax; retf 0000h
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CB3DAF push ecx; retf 0000h
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CB3DBF push ecx; retf 0000h
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00CB3D70 push eax; retf 0000h
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_0115902D push ebx; ret
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_01156C50 push esp; ret
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_060C7A2B push es; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D2A0C push edx; retf
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D3459 push esp; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D0872 pushfd ; retf
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_049D2BD8 pushfd ; retn 001Fh
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BCBCE5 push C2352FE7h; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_04BC4FE0 push edx; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_035F51B0 push es; ret
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_035FE5D0 push C18B0771h; ret
      Source: initial sampleStatic PE information: section name: .text entropy: 7.33110466527
      Source: initial sampleStatic PE information: section name: .text entropy: 7.33110466527
      Source: initial sampleStatic PE information: section name: .text entropy: 7.33110466527
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile created: C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exeJump to dropped file
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp3309.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeFile opened: C:\Users\user\Desktop\wlCqbMRJ7p.exe:Zone.Identifier read attributes | delete
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORY
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: wlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3235
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3932
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3819
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3021
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2997
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4002
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeWindow / User API: foregroundWindowGot 558
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1883
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 832
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 833
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 458
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exe TID: 7072Thread sleep time: -102403s >= -30000s
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep count: 3819 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep count: 3021 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep count: 42 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep time: -40000s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664Thread sleep count: 2997 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664Thread sleep count: 4002 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6880Thread sleep count: 52 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep time: -5534023222112862s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exe TID: 6892Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 768Thread sleep time: -103583s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7064Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5788Thread sleep count: 833 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5820Thread sleep count: 458 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 816Thread sleep count: 56 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4420Thread sleep time: -11068046444225724s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4476Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_04F70D66 GetSystemInfo,
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeThread delayed: delay time: 102403
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 103583
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 00000003.00000003.874368764.00000000053C8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.901865940.0000000004F4A000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.923874718.0000000005334000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.924280516.000000000537B000.00000004.00000001.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: powershell.exe, 00000003.00000003.874368764.00000000053C8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.901865940.0000000004F4A000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.925301477.0000000005522000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.924280516.000000000537B000.00000004.00000001.sdmpBinary or memory string: Hyper-V
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsH
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.937361923.00000000065E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: qA"SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.937361923.00000000065E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.937361923.00000000065E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: q#"SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: q87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.937361923.00000000065E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Adds a directory exclusion to Windows DefenderShow sources
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeMemory written: C:\Users\user\Desktop\wlCqbMRJ7p.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp3309.tmp'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeProcess created: C:\Users\user\Desktop\wlCqbMRJ7p.exe C:\Users\user\Desktop\wlCqbMRJ7p.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp9713.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.924531012.0000000002DA5000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.922197429.0000000003AD0000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.921685202.0000000003AD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.922099885.0000000001500000.00000002.00000001.sdmp, powershell.exe, 00000011.00000002.922197429.0000000003AD0000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.921685202.0000000003AD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.922099885.0000000001500000.00000002.00000001.sdmp, powershell.exe, 00000011.00000002.922197429.0000000003AD0000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.921685202.0000000003AD0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.922099885.0000000001500000.00000002.00000001.sdmp, powershell.exe, 00000011.00000002.922197429.0000000003AD0000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.921685202.0000000003AD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.925473444.0000000002ED2000.00000004.00000001.sdmpBinary or memory string: Program Manager|9
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.776929618.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 4824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7100, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORY
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3c02a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5580000.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3dbb529.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3af7938.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bfe434.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bfe434.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5580000.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5584629.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3a17938.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ee4f72.10.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: wlCqbMRJ7p.exe, 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.932808290.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: wlCqbMRJ7p.exe, 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: dhcpmon.exe, 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.776929618.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4832, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 4824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7100, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlCqbMRJ7p.exe PID: 7068, type: MEMORY
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3bde9a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.wlCqbMRJ7p.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3c02a5d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5580000.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3dbb529.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3bde9a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3db6f00.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.dhcpmon.exe.3af7938.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3afe9a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bfe434.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bfe434.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5580000.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.wlCqbMRJ7p.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.5584629.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.wlCqbMRJ7p.exe.3a17938.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.3bf95fe.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ec4711.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ed0945.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.wlCqbMRJ7p.exe.3ee4f72.10.raw.unpack, type: UNPACKEDPE
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_04F7262A bind,
      Source: C:\Users\user\Desktop\wlCqbMRJ7p.exeCode function: 12_2_04F725D8 bind,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools11Input Capture11File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery311Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 432310 Sample: wlCqbMRJ7p.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 12 other signatures 2->66 7 wlCqbMRJ7p.exe 7 2->7         started        11 dhcpmon.exe 2->11         started        process3 file4 46 C:\Users\user\AppData\...\gNhkpKoVomdVye.exe, PE32 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmp3309.tmp, XML 7->48 dropped 50 C:\Users\user\AppData\...\wlCqbMRJ7p.exe.log, ASCII 7->50 dropped 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 7->70 72 Adds a directory exclusion to Windows Defender 7->72 13 wlCqbMRJ7p.exe 7->13         started        18 powershell.exe 24 7->18         started        20 powershell.exe 26 7->20         started        30 2 other processes 7->30 74 Injects a PE file into a foreign processes 11->74 22 powershell.exe 11->22         started        24 schtasks.exe 11->24         started        26 powershell.exe 11->26         started        28 dhcpmon.exe 11->28         started        signatures5 process6 dnsIp7 58 redvelvet.ddns.net 194.5.98.5, 49743, 49748, 49751 DANILENKODE Netherlands 13->58 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->52 dropped 54 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 13->54 dropped 56 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->56 dropped 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->76 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 30->42         started        44 conhost.exe 30->44         started        file8 signatures9 process10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      wlCqbMRJ7p.exe42%VirustotalBrowse
      wlCqbMRJ7p.exe13%ReversingLabsWin32.Trojan.Wacatac

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe13%ReversingLabsWin32.Trojan.Wacatac
      C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe13%ReversingLabsWin32.Trojan.Wacatac

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      12.0.wlCqbMRJ7p.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.2.wlCqbMRJ7p.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      23.0.dhcpmon.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      23.0.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      23.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.2.wlCqbMRJ7p.exe.5580000.19.unpack100%AviraTR/NanoCore.fadteDownload File
      12.0.wlCqbMRJ7p.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      redvelvet.ddns.net1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.microsoft.coLof0%Avira URL Cloudsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://crl.microsof0%URL Reputationsafe
      http://crl.microsof0%URL Reputationsafe
      http://crl.microsof0%URL Reputationsafe
      http://crl.microsof0%URL Reputationsafe
      http://127.0.0.1:61095/RestServiceImpl.svc/postJson0%Avira URL Cloudsafe
      http://www.microsoft.co0%URL Reputationsafe
      http://www.microsoft.co0%URL Reputationsafe
      http://www.microsoft.co0%URL Reputationsafe
      http://www.microsoft.co0%URL Reputationsafe
      https://go.micro(0%Avira URL Cloudsafe
      http://crl.microsoft.0%URL Reputationsafe
      http://crl.microsoft.0%URL Reputationsafe
      http://crl.microsoft.0%URL Reputationsafe
      http://crl.microsoft.0%URL Reputationsafe
      redvelvet.ddns.net0%Avira URL Cloudsafe
      127.0.0.10%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      redvelvet.ddns.net
      		194.5.98.5
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      redvelvet.ddns.nettrue
      • Avira URL Cloud: safe
      		unknown
      127.0.0.1true
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.microsoft.coLofpowershell.exe, 00000009.00000003.855153597.0000000007B61000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000003.768948665.00000000078D0000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.789674182.0000000007B36000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000011.00000002.923874718.0000000005334000.00000004.00000001.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000003.768948665.00000000078D0000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.789674182.0000000007B36000.00000004.00000001.sdmpfalse
          		high
          http://crl.microsofpowershell.exe, 00000009.00000003.911147791.0000000009368000.00000004.00000001.sdmp, powershell.exe, 00000015.00000003.873521324.00000000081F1000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://127.0.0.1:61095/RestServiceImpl.svc/postJsonwlCqbMRJ7p.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000011.00000002.923874718.0000000005334000.00000004.00000001.sdmpfalse
            		high
            http://www.microsoft.copowershell.exe, 00000009.00000003.855474816.00000000092C0000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://github.com/Laicure/HostsYwlCqbMRJ7p.exefalse
              		high
              https://go.micro(powershell.exe, 00000005.00000003.803651549.0000000005107000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000011.00000002.923627895.00000000051F1000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.922796881.0000000005051000.00000004.00000001.sdmpfalse
                		high
                http://crl.microsoft.powershell.exe, 00000009.00000003.855153597.0000000007B61000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000005.00000003.768948665.00000000078D0000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.789674182.0000000007B36000.00000004.00000001.sdmpfalse
                  		high
                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csswlCqbMRJ7p.exe, 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmpfalse
                    		high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    194.5.98.5
                    		redvelvet.ddns.netNetherlands
                    		208476DANILENKODEtrue

                    General Information

                    Joe Sandbox Version:32.0.0 Black Diamond
                    Analysis ID:432310
                    Start date:10.06.2021
                    Start time:03:18:12
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 14m 53s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:wlCqbMRJ7p.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:31
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@27/31@16/1
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 0.2% (good quality ratio 0.1%)
                    • Quality average: 24.9%
                    • Quality standard deviation: 38%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                    • TCP Packets have been reduced to 100
                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:18:59API Interceptor616x Sleep call for process: wlCqbMRJ7p.exe modified
                    03:19:11AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                    03:19:21API Interceptor1x Sleep call for process: dhcpmon.exe modified
                    03:19:38API Interceptor241x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    194.5.98.5Payment proof.jpg.exeGet hashmaliciousBrowse
                      Proof Of Payment.jpg.exeGet hashmaliciousBrowse
                        Proof of payment.pdf.exeGet hashmaliciousBrowse
                          QW8lWJDpU8.exeGet hashmaliciousBrowse
                            PURCHASE ORDER.exeGet hashmaliciousBrowse
                              cxZ1hwj54g.exeGet hashmaliciousBrowse
                                5099834809.xlsxGet hashmaliciousBrowse
                                  TARyFCk62Q.exeGet hashmaliciousBrowse
                                    INWARD-OUTWARD 04-02-21.xlsxGet hashmaliciousBrowse
                                      Contract-CSPL418819-20 RS.2360.exeGet hashmaliciousBrowse
                                        Statement Of Account 2020.exeGet hashmaliciousBrowse
                                          Incentive Doc.exeGet hashmaliciousBrowse
                                            RFQ-Revised P.O DETAIL PRICE PER MTR .exeGet hashmaliciousBrowse
                                              RFQ-P.O DETAIL PRICE PER MTR .exeGet hashmaliciousBrowse
                                                75BALANCE PAYMENT.vbsGet hashmaliciousBrowse
                                                  Lists_of_Agents.jarGet hashmaliciousBrowse
                                                    Lists_of_Agents.jarGet hashmaliciousBrowse

                                                      Domains

                                                      No context

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      DANILENKODESecuriteInfo.com.Trojan.PackedNET.832.3222.exeGet hashmaliciousBrowse
                                                      • 194.5.98.144
                                                      SecuriteInfo.com.Trojan.PackedNET.831.12541.exeGet hashmaliciousBrowse
                                                      • 194.5.98.144
                                                      0Cg1YYs1sv.exeGet hashmaliciousBrowse
                                                      • 194.5.98.144
                                                      Duplicated Orders.xlsxGet hashmaliciousBrowse
                                                      • 194.5.98.144
                                                      DEPOSITAR.xlsxGet hashmaliciousBrowse
                                                      • 194.5.98.144
                                                      InvoicePOzGlybgcIc1vHasG.exeGet hashmaliciousBrowse
                                                      • 194.5.98.87
                                                      POInvoiceOrderIuVvcl0VWEOAmXy.exeGet hashmaliciousBrowse
                                                      • 194.5.98.87
                                                      payment invoice.exeGet hashmaliciousBrowse
                                                      • 194.5.98.23
                                                      #RFQ ORDER484475577797.exeGet hashmaliciousBrowse
                                                      • 194.5.98.120
                                                      b6yzWugw8V.exeGet hashmaliciousBrowse
                                                      • 194.5.98.107
                                                      0041#Receipt.pif.exeGet hashmaliciousBrowse
                                                      • 194.5.98.180
                                                      j07ghiByDq.exeGet hashmaliciousBrowse
                                                      • 194.5.97.146
                                                      j07ghiByDq.exeGet hashmaliciousBrowse
                                                      • 194.5.97.146
                                                      PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                      • 194.5.97.18
                                                      SecuriteInfo.com.Trojan.PackedNET.820.24493.exeGet hashmaliciousBrowse
                                                      • 194.5.97.61
                                                      DHL_file.exeGet hashmaliciousBrowse
                                                      • 194.5.98.145
                                                      BBS FX.xlsxGet hashmaliciousBrowse
                                                      • 194.5.97.61
                                                      GpnPv433gb.exeGet hashmaliciousBrowse
                                                      • 194.5.98.11
                                                      Kj7tTd1Zimp0ciI.exeGet hashmaliciousBrowse
                                                      • 194.5.97.197
                                                      Resume.exeGet hashmaliciousBrowse
                                                      • 194.5.98.8

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Process:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):896000
                                                      Entropy (8bit):7.316601007784806
                                                      Encrypted:false
                                                      SSDEEP:12288:OZteT+hWvTyES7Z2Ww2iPz2uI6JTB0Ds+OPgdKNAbc0VWLC:OZteAE72uDoRdKNsF
                                                      MD5:EA153FC5DBC16BCB6987DB3D8AD0E965
                                                      SHA1:A0A0E9B0C8FE4C1CED411FF302871A5D71885FC0
                                                      SHA-256:8A6A233B22F5C0C2A2F69D9F5250796993D350373AB030558D4912E0B2C7A884
                                                      SHA-512:AD5425385EBE9675068CCA1497651F7F988D0C8C16CB8EB1CBA05B86E7B47CE9726E656D22A37F32EECB710EAA9B38D9449CD2C61702B1862CEB6051DC679CA3
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: MAL_CRIME_suspicious_hex_string_Jun21_1, Description: Triggers on parts of a big hex string available in lots of crime\'ish PE files., Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Nils Kuhnert
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.`..............P..^...L.......|... ........@.. ....................................@..................................|..O........H..........................`{............................................... ............... ..H............text....]... ...^.................. ..`.rsrc....H.......J...`..............@..@.reloc..............................@..B.................|......H............\......:...8M..(.............................................()...*&..(*....*.s+........s,........s-........s.........s/........*...0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*&..(5....*...0..<........~.....(6.....,!r...p.....(7...o8...s9............~.....+..*.0...........~.....+..*".......*.0..&........(....r+..p~....o:...(;.....t#....+..*...0..&........(....rc..p~....
                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):655
                                                      Entropy (8bit):5.273171405160065
                                                      Encrypted:false
                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
                                                      MD5:2703120C370FBB4A8BA08C6D1754039E
                                                      SHA1:EC0DB47BF00A4A828F796147619386C0BBEA66A1
                                                      SHA-256:F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
                                                      SHA-512:BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
                                                      Malicious:false
                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..
                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\wlCqbMRJ7p.exe.log
                                                      Process:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):655
                                                      Entropy (8bit):5.273171405160065
                                                      Encrypted:false
                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
                                                      MD5:2703120C370FBB4A8BA08C6D1754039E
                                                      SHA1:EC0DB47BF00A4A828F796147619386C0BBEA66A1
                                                      SHA-256:F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
                                                      SHA-512:BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
                                                      Malicious:true
                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..
                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):14734
                                                      Entropy (8bit):4.996142136926143
                                                      Encrypted:false
                                                      SSDEEP:384:4NXp5K3EJOdBSib4fdVoGIpN6KQkj2mYoHr8kjh4iUx/:4NZs3EJOdBUV3IpNBQkj2mYoHrVh4iUF
                                                      MD5:535E5C527F233BD5B4F2811B9CBC7E7B
                                                      SHA1:887C6E87D7AAF0CE356BA9C44171C462986F5FDC
                                                      SHA-256:1AEBE09565FDCD2A79110F2DE1228E3197EC81C3C463864D8DDE978529FCF0AA
                                                      SHA-512:0FE6275A3BC5C50492C2EFFEDDE32D64313D6345F3D57547A38F49F06965F3DF5DE83C8C13E1F15843B4494EE489A9AD7B1840D6D6AB82231D375660C51E77D1
                                                      Malicious:false
                                                      Preview: PSMODULECACHE.............a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider................Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepo
                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):22344
                                                      Entropy (8bit):5.601842721406367
                                                      Encrypted:false
                                                      SSDEEP:384:otCD6awy3IINYb01V+We1SBKn+ul6yb7Y9gCJUeR21BMTmjZ1AV7Maz6t564I+xE:GNbU04K+ul//neNS4Izk
                                                      MD5:71056E204BBC6E3019954DDA3AF313D0
                                                      SHA1:6FF57B60AA783BA26BE28525B3F97A032B9173F4
                                                      SHA-256:A921B7675AE4E875E3657843F6603D1B32BC6011C6B4131F01F1A138D123F862
                                                      SHA-512:3EBCFB2DD86396FF84E2D0AFDCF6B5C89CE8E75843CAE08BBE0EE115E95878F249C8FC82DB674E4D8F54CC1656C3A936103F665FB2BFD0A34EC10DBC1D2302BF
                                                      Malicious:false
                                                      Preview: @...e.......................R.D.$.....~.:............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bo0r2r0.wsn.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3htaeijg.x2c.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2s3qtj1.iwa.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_diefczqm.can.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dk2xvxwh.1h3.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjkf15of.hyz.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idwslufu.s4c.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pihcsfys.f03.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxf4rd0x.gih.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdy0kp3f.bof.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\tmp3309.tmp
                                                      Process:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1647
                                                      Entropy (8bit):5.185264961113356
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGkY4tn:cbhK79lNQR/rydbz9I3YODOLNdq3o+
                                                      MD5:181E6C51C3391FC79D502B5103E0AA6D
                                                      SHA1:5EE490F2CEBE089EB18126866F0AB7E549502974
                                                      SHA-256:D80E9E5051EFFC66857FF8B6DD8ACC89043EF8D5E1CAC5864DA21B96AAB53C4E
                                                      SHA-512:64A5AA73C9B50DF81AEC6E0163F450FC5DA962C5E6D1297E0DB45E3D2F948A15019AAFC36F20FC5387614F90588A1D5522447DC2DE2A475323C096CDD27E9F64
                                                      Malicious:true
                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                      C:\Users\user\AppData\Local\Temp\tmp9713.tmp
                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1647
                                                      Entropy (8bit):5.185264961113356
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGkY4tn:cbhK79lNQR/rydbz9I3YODOLNdq3o+
                                                      MD5:181E6C51C3391FC79D502B5103E0AA6D
                                                      SHA1:5EE490F2CEBE089EB18126866F0AB7E549502974
                                                      SHA-256:D80E9E5051EFFC66857FF8B6DD8ACC89043EF8D5E1CAC5864DA21B96AAB53C4E
                                                      SHA-512:64A5AA73C9B50DF81AEC6E0163F450FC5DA962C5E6D1297E0DB45E3D2F948A15019AAFC36F20FC5387614F90588A1D5522447DC2DE2A475323C096CDD27E9F64
                                                      Malicious:false
                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                      Process:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):3016
                                                      Entropy (8bit):7.024371743172393
                                                      Encrypted:false
                                                      SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrws:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                                                      MD5:1BD61AD9406ED789A9447AF5E4E1368C
                                                      SHA1:10C211612AAFC0F9A3E5DD15A45EDC08E5D76038
                                                      SHA-256:AD46B72200459E73CDEBC96C7A48468559D68DDC223627FBE4BCF93F32311F57
                                                      SHA-512:79EF944DE5355166735808D59ABB8EB7AEF35BCFF537DD60783CAD75FC98FC9649D971C3A36A1566EA26B28FFAD57E9BC065BFF7D0B26E868AB2B2FC1DC39DBC
                                                      Malicious:false
                                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                      Process:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):3.0
                                                      Encrypted:false
                                                      SSDEEP:3:+O8t:+h
                                                      MD5:69C54B1AD13B74871DE937C392F68B0D
                                                      SHA1:B97BFBA5C96495D4F4BC1A926D71374BDEF7F0DD
                                                      SHA-256:BB6B981994E409B732EDF03D4164766F540F9FF755667F1A0DE77B3147E5F4BB
                                                      SHA-512:ED27EADA6677FF67E1B344CEE675F2DDE44E5257E718EC05D93BE57F064DD26791D1D722157BB336E534DD7DC8DEA8604E24FD5380A1558BE90D26DD2EE0CD28
                                                      Malicious:true
                                                      Preview: q...+.H
                                                      C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe
                                                      Process:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):896000
                                                      Entropy (8bit):7.316601007784806
                                                      Encrypted:false
                                                      SSDEEP:12288:OZteT+hWvTyES7Z2Ww2iPz2uI6JTB0Ds+OPgdKNAbc0VWLC:OZteAE72uDoRdKNsF
                                                      MD5:EA153FC5DBC16BCB6987DB3D8AD0E965
                                                      SHA1:A0A0E9B0C8FE4C1CED411FF302871A5D71885FC0
                                                      SHA-256:8A6A233B22F5C0C2A2F69D9F5250796993D350373AB030558D4912E0B2C7A884
                                                      SHA-512:AD5425385EBE9675068CCA1497651F7F988D0C8C16CB8EB1CBA05B86E7B47CE9726E656D22A37F32EECB710EAA9B38D9449CD2C61702B1862CEB6051DC679CA3
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: MAL_CRIME_suspicious_hex_string_Jun21_1, Description: Triggers on parts of a big hex string available in lots of crime\'ish PE files., Source: C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe, Author: Nils Kuhnert
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.`..............P..^...L.......|... ........@.. ....................................@..................................|..O........H..........................`{............................................... ............... ..H............text....]... ...^.................. ..`.rsrc....H.......J...`..............@..@.reloc..............................@..B.................|......H............\......:...8M..(.............................................()...*&..(*....*.s+........s,........s-........s.........s/........*...0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*&..(5....*...0..<........~.....(6.....,!r...p.....(7...o8...s9............~.....+..*.0...........~.....+..*".......*.0..&........(....r+..p~....o:...(;.....t#....+..*...0..&........(....rc..p~....
                                                      C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                      C:\Users\user\Documents\20210610\PowerShell_transcript.813848.3SxkLcFC.20210610031941.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):854
                                                      Entropy (8bit):5.3310294907878415
                                                      Encrypted:false
                                                      SSDEEP:24:BxSAT7vBZqx2DOXUWeSuakYMWoHjeTKKjX4CIym1ZJXvuakYI:BZ3vjqoO+S7XoqDYB1ZF7I
                                                      MD5:328D3815A1FC225E9F84B593EA6667B9
                                                      SHA1:4ECBB13185355DECDE04CFD473939F6B89798CF3
                                                      SHA-256:4850895877F0C3989AD0E51E780EA3C7020F69398D0BEA30CE331F982C85745A
                                                      SHA-512:26B77E3997155A6BAABDCB98A7BF7C0A04572694BCF124A583AA6FF1C6DD88678CBA8663FF6780F7D92EF4D5A2F902A774111064DA99FA72765C166091B4DBFB
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610032042..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813848 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe..Process ID: 4484..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610032042..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe..
                                                      C:\Users\user\Documents\20210610\PowerShell_transcript.813848.Bx+_dXPM.20210610031935.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):850
                                                      Entropy (8bit):5.324204854460399
                                                      Encrypted:false
                                                      SSDEEP:24:BxSA17vBZqx2DOXUWeSur+WWHjeTKKjX4CIym1ZJXGurS:BZBvjqoO+SepWqDYB1ZoeS
                                                      MD5:7473A38C1053380965CB764A570782F8
                                                      SHA1:A9E2E12D3CE552C154751D43F8A1A6195BC1AB4D
                                                      SHA-256:7B24B0F0D51D2D0569777D2CC0BF8AA9BCA26F0C8B7BD51ED422171702A0E5DA
                                                      SHA-512:D769B40B3522F5FF634E31A9FD492C4F1A5E6384E5ED41B26B8F6A6AC734DA6623F316BC7880BA38776B7299FE74F78FA9D62425B3C999E4A0AF95CB98988899
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610032031..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813848 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..Process ID: 5948..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610032032..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..
                                                      C:\Users\user\Documents\20210610\PowerShell_transcript.813848.OLqUOkrV.20210610031906.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):5805
                                                      Entropy (8bit):5.401135716345985
                                                      Encrypted:false
                                                      SSDEEP:96:BZKjqNxsqDo1ZeZZ2jqNxsqDo1ZC+EmjZhjqNxsqDo1ZLnWW8Z/:p71xd
                                                      MD5:7BD9C684BD9582E9F3102AD650C1918B
                                                      SHA1:194CE7D0DF22C2169752D8B54D80974578ED41CE
                                                      SHA-256:908605AC2E011552C13B036A443E8ED8969D17A5A7344726D192450FDC5F6D1C
                                                      SHA-512:0C60C2359695BDF494F9E63B6BB124467C94763213F076C21E1B6C58DD123395A2FDD283E0A30E89057A253422655AA5C0F06AC46B241868143F8130866789E4
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610031929..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813848 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe..Process ID: 5744..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610031930..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe..**********************..Windows PowerShell transcript start..Start time: 20210610032810..Username: computer\user..RunAs User: DESKTOP-716T
                                                      C:\Users\user\Documents\20210610\PowerShell_transcript.813848.RjmHMK69.20210610031905.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):5805
                                                      Entropy (8bit):5.397704202593913
                                                      Encrypted:false
                                                      SSDEEP:96:BZejqNxoqDo1ZfZZ9jqNxoqDo1Zr+EmjZljqNxoqDo1ZnnWWbZW:di24f
                                                      MD5:37798BA8C1D05252C3ABA462F4A4288A
                                                      SHA1:F2091E424956379AD8DF07CED2227F3454E84311
                                                      SHA-256:805824D8A18B5C5CDAFDCC7857FA86790FBFC0B1335E4CA6E65D76847592B4A4
                                                      SHA-512:ADAF6323913F26B94424B69150EADB87C8A53801293A1DFDD6652341FB9D79754977C6D1C0D86FD2910C23EE93027D0575A6A48E1302592BB4261B516E5D4FDD
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610031925..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813848 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe..Process ID: 1472..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610031926..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe..**********************..Windows PowerShell transcript start..Start time: 20210610033014..Username: computer\user..RunAs User: DESKTOP-716T
                                                      C:\Users\user\Documents\20210610\PowerShell_transcript.813848.uNy5FhJk.20210610031903.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):5733
                                                      Entropy (8bit):5.4045236026407375
                                                      Encrypted:false
                                                      SSDEEP:96:BZpjqNX1qDo1ZEZUjqNX1qDo1ZYOoGjZmjqNX1qDo1ZejWW4ZD:a2JX
                                                      MD5:96DDC85D0D007B3154E1B6A38CC15C70
                                                      SHA1:7BD6CE7BCF33CE26A5F966FB8365B5FE6D375B31
                                                      SHA-256:03F37EC3012B77DBF61E5CE4B5A5FB479BFAF77B6BE47DE16263088A0B13D4F0
                                                      SHA-512:28B0872A319E2446156E1EA8AE2B27337054E72927E85704722172B0BF35F5F0072FB367CC44356B4BC77E73B2355E994945DA7AC314AE3032582C50C8284E26
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610031922..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813848 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\wlCqbMRJ7p.exe..Process ID: 3980..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610031922..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\wlCqbMRJ7p.exe..**********************..Windows PowerShell transcript start..Start time: 20210610032759..Username: computer\user..RunAs User: computer\user..Configuration

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.316601007784806
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:wlCqbMRJ7p.exe
                                                      File size:896000
                                                      MD5:ea153fc5dbc16bcb6987db3d8ad0e965
                                                      SHA1:a0a0e9b0c8fe4c1ced411ff302871a5d71885fc0
                                                      SHA256:8a6a233b22f5c0c2a2f69d9f5250796993d350373ab030558d4912e0b2c7a884
                                                      SHA512:ad5425385ebe9675068cca1497651f7f988d0c8c16cb8eb1cba05b86e7b47ce9726e656d22a37f32eecb710eaa9b38d9449cd2c61702b1862ceb6051dc679ca3
                                                      SSDEEP:12288:OZteT+hWvTyES7Z2Ww2iPz2uI6JTB0Ds+OPgdKNAbc0VWLC:OZteAE72uDoRdKNsF
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..`..............P..^...L.......|... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:60d088f59092cc31

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4d7cea
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x60B9DB3F [Fri Jun 4 07:50:23 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v2.0.50727
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add dword ptr [eax], eax
                                                      add dword ptr [ecx], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [ecx], eax
                                                      add dword ptr [ecx], eax
                                                      add dword ptr [ecx], eax
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd7c980x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x48e0.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xd7b600x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xd5d000xd5e00False0.722418815751data7.33110466527IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xd80000x48e00x4a00False0.525601773649data5.37036238594IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xde0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0xd81300x4228dBase III DBT, version number 0, next free block index 40
                                                      RT_GROUP_ICON0xdc3580x14data
                                                      RT_VERSION0xdc36c0x388data
                                                      RT_MANIFEST0xdc6f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright 2015 - 2021
                                                      Assembly Version1.0.0.0
                                                      InternalNameDateTimeStyles.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNameUrbaniSoft
                                                      LegalTrademarks
                                                      Commentsde Mailslot tipo cliente
                                                      ProductNameMail Slot
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionMail Slot
                                                      OriginalFilenameDateTimeStyles.exe

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      06/10/21-03:19:12.257711TCP2025019ET TROJAN Possible NanoCore C2 60B497438282192.168.2.4194.5.98.5
                                                      06/10/21-03:19:19.344107TCP2025019ET TROJAN Possible NanoCore C2 60B497488282192.168.2.4194.5.98.5
                                                      06/10/21-03:19:26.639584TCP2025019ET TROJAN Possible NanoCore C2 60B497518282192.168.2.4194.5.98.5
                                                      06/10/21-03:19:34.208652TCP2025019ET TROJAN Possible NanoCore C2 60B497528282192.168.2.4194.5.98.5
                                                      06/10/21-03:19:41.501545TCP2025019ET TROJAN Possible NanoCore C2 60B497538282192.168.2.4194.5.98.5
                                                      06/10/21-03:19:50.221494TCP2025019ET TROJAN Possible NanoCore C2 60B497548282192.168.2.4194.5.98.5
                                                      06/10/21-03:19:57.737926UDP254DNS SPOOF query response with TTL of 1 min. and no authority535644837.235.1.174192.168.2.4
                                                      06/10/21-03:19:58.056603TCP2025019ET TROJAN Possible NanoCore C2 60B497588282192.168.2.4194.5.98.5
                                                      06/10/21-03:20:13.169010TCP2025019ET TROJAN Possible NanoCore C2 60B497718282192.168.2.4194.5.98.5
                                                      06/10/21-03:20:22.061783TCP2025019ET TROJAN Possible NanoCore C2 60B497738282192.168.2.4194.5.98.5
                                                      06/10/21-03:20:29.304711TCP2025019ET TROJAN Possible NanoCore C2 60B497748282192.168.2.4194.5.98.5
                                                      06/10/21-03:20:38.852865TCP2025019ET TROJAN Possible NanoCore C2 60B497758282192.168.2.4194.5.98.5
                                                      06/10/21-03:20:46.918929TCP2025019ET TROJAN Possible NanoCore C2 60B497768282192.168.2.4194.5.98.5
                                                      06/10/21-03:20:55.780084TCP2025019ET TROJAN Possible NanoCore C2 60B497778282192.168.2.4194.5.98.5
                                                      06/10/21-03:21:03.406782UDP254DNS SPOOF query response with TTL of 1 min. and no authority536283337.235.1.174192.168.2.4
                                                      06/10/21-03:21:03.725763TCP2025019ET TROJAN Possible NanoCore C2 60B497788282192.168.2.4194.5.98.5

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jun 10, 2021 03:19:11.208496094 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:11.976670980 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:11.979473114 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:12.257710934 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:13.053592920 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:13.053698063 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:13.408266068 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:13.408451080 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:13.636034012 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:13.636188030 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:13.990186930 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:13.990353107 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.281913042 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.283252001 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.296562910 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.296803951 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.454405069 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.454478979 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.468961000 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.469160080 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.483500004 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.484499931 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.498264074 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.498431921 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.513268948 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.624425888 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.624684095 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.638628006 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.638704062 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.653398037 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.653495073 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.668200970 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.671482086 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.682334900 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.682406902 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.697139025 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.697204113 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.711762905 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.716240883 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:14.726481915 CEST828249743194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:14.732259035 CEST497438282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:19.054696083 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:19.212577105 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:19.212764025 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:19.344106913 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:19.568842888 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:19.568958998 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:19.917749882 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:19.917869091 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:20.078794003 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:20.078995943 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:20.432939053 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:20.434030056 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:20.714212894 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:20.714279890 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:20.728890896 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:20.728961945 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:20.882723093 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:20.882791042 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:20.897476912 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:20.897593975 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:20.912074089 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:20.912131071 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:20.927184105 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:20.927315950 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.052170992 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.052330017 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.066198111 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.066304922 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.080959082 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.081769943 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.095709085 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.095837116 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.110251904 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.111502886 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.125176907 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.125725985 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.139776945 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.139914036 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.154443979 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.156766891 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.222106934 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.222189903 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.236774921 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.236963034 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.251372099 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.252403975 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.265743017 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.266079903 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.280601025 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.280678988 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.295248985 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.295334101 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.309647083 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.309803963 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.324389935 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.324497938 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.338912964 CEST828249748194.5.98.5192.168.2.4
                                                      Jun 10, 2021 03:19:21.338992119 CEST497488282192.168.2.4194.5.98.5
                                                      Jun 10, 2021 03:19:21.353395939 CEST828249748194.5.98.5192.168.2.4

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jun 10, 2021 03:19:11.142307043 CEST5662753192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:19:11.198112011 CEST535662737.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:19:18.993657112 CEST6172153192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:19:19.051736116 CEST536172137.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:19:26.174827099 CEST6152253192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:19:26.394258976 CEST536152237.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:19:33.732223034 CEST5233753192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:19:33.787194014 CEST535233737.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:19:41.269577026 CEST5504653192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:19:41.341258049 CEST535504637.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:19:47.945164919 CEST4961253192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:19:48.968564987 CEST4961253192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:19:49.755642891 CEST534961237.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:19:57.645277977 CEST5644853192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:19:57.737926006 CEST535644837.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:20:05.220132113 CEST4922853192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:20:05.275959969 CEST534922837.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:20:11.986114025 CEST5275253192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:20:12.395452976 CEST535275237.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:20:21.790947914 CEST6420653192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:20:21.874947071 CEST536420637.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:20:28.964813948 CEST5090453192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:20:29.098757982 CEST535090437.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:20:38.636013985 CEST5752553192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:20:38.691895008 CEST535752537.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:20:46.442315102 CEST5381453192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:20:46.498008013 CEST535381437.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:20:55.089436054 CEST5341853192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:20:55.243484974 CEST535341837.235.1.174192.168.2.4
                                                      Jun 10, 2021 03:21:03.328071117 CEST6283353192.168.2.437.235.1.174
                                                      Jun 10, 2021 03:21:03.406781912 CEST536283337.235.1.174192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jun 10, 2021 03:19:11.142307043 CEST192.168.2.437.235.1.1740xfe83Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:18.993657112 CEST192.168.2.437.235.1.1740x8195Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:26.174827099 CEST192.168.2.437.235.1.1740x75e3Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:33.732223034 CEST192.168.2.437.235.1.1740xa386Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:41.269577026 CEST192.168.2.437.235.1.1740x182aStandard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:47.945164919 CEST192.168.2.437.235.1.1740x295aStandard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:48.968564987 CEST192.168.2.437.235.1.1740x295aStandard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:57.645277977 CEST192.168.2.437.235.1.1740x7482Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:05.220132113 CEST192.168.2.437.235.1.1740xe98fStandard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:11.986114025 CEST192.168.2.437.235.1.1740x7979Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:21.790947914 CEST192.168.2.437.235.1.1740xbc5cStandard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:28.964813948 CEST192.168.2.437.235.1.1740xce79Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:38.636013985 CEST192.168.2.437.235.1.1740x6bd3Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:46.442315102 CEST192.168.2.437.235.1.1740xd355Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:55.089436054 CEST192.168.2.437.235.1.1740xe91cStandard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:21:03.328071117 CEST192.168.2.437.235.1.1740x1808Standard query (0)redvelvet.ddns.netA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jun 10, 2021 03:19:11.198112011 CEST37.235.1.174192.168.2.40xfe83No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:19.051736116 CEST37.235.1.174192.168.2.40x8195No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:26.394258976 CEST37.235.1.174192.168.2.40x75e3No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:33.787194014 CEST37.235.1.174192.168.2.40xa386No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:41.341258049 CEST37.235.1.174192.168.2.40x182aNo error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:49.755642891 CEST37.235.1.174192.168.2.40x295aNo error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:19:57.737926006 CEST37.235.1.174192.168.2.40x7482No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:05.275959969 CEST37.235.1.174192.168.2.40xe98fNo error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:12.395452976 CEST37.235.1.174192.168.2.40x7979No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:21.874947071 CEST37.235.1.174192.168.2.40xbc5cNo error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:29.098757982 CEST37.235.1.174192.168.2.40xce79No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:38.691895008 CEST37.235.1.174192.168.2.40x6bd3No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:46.498008013 CEST37.235.1.174192.168.2.40xd355No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:20:55.243484974 CEST37.235.1.174192.168.2.40xe91cNo error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)
                                                      Jun 10, 2021 03:21:03.406781912 CEST37.235.1.174192.168.2.40x1808No error (0)redvelvet.ddns.net194.5.98.5A (IP address)IN (0x0001)

                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: wlCqbMRJ7p.exe PID: 7068 Parent PID: 5904

                                                      General

                                                      Start time:03:18:58
                                                      Start date:10/06/2021
                                                      Path:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\wlCqbMRJ7p.exe'
                                                      Imagebase:0x240000
                                                      File size:896000 bytes
                                                      MD5 hash:EA153FC5DBC16BCB6987DB3D8AD0E965
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.667709739.000000000290A000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.674024558.00000000039A2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      Analysis Process: powershell.exe PID: 3980 Parent PID: 7068

                                                      General

                                                      Start time:03:19:01
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\wlCqbMRJ7p.exe'
                                                      Imagebase:0xf50000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 4240 Parent PID: 3980

                                                      General

                                                      Start time:03:19:01
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: powershell.exe PID: 1472 Parent PID: 7068

                                                      General

                                                      Start time:03:19:02
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
                                                      Imagebase:0xf50000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 4048 Parent PID: 1472

                                                      General

                                                      Start time:03:19:02
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: schtasks.exe PID: 4788 Parent PID: 7068

                                                      General

                                                      Start time:03:19:02
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp3309.tmp'
                                                      Imagebase:0xeb0000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 6416 Parent PID: 4788

                                                      General

                                                      Start time:03:19:02
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: powershell.exe PID: 5744 Parent PID: 7068

                                                      General

                                                      Start time:03:19:03
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
                                                      Imagebase:0xf50000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 1360 Parent PID: 5744

                                                      General

                                                      Start time:03:19:04
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: wlCqbMRJ7p.exe PID: 4824 Parent PID: 7068

                                                      General

                                                      Start time:03:19:04
                                                      Start date:10/06/2021
                                                      Path:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\wlCqbMRJ7p.exe
                                                      Imagebase:0x5a0000
                                                      File size:896000 bytes
                                                      MD5 hash:EA153FC5DBC16BCB6987DB3D8AD0E965
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.936400205.0000000006180000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.926195315.0000000003DAF000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.935921862.0000000006130000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.935270589.00000000060D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.936078270.0000000006140000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.932808290.00000000052E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.932808290.00000000052E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.657336154.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.936268764.0000000006160000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.914023983.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.926820947.0000000003EC4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.936172427.0000000006150000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.936172427.0000000006150000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.933106616.0000000005580000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.658537972.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.935698776.0000000006110000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.935698776.0000000006110000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.935364932.00000000060E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.935364932.00000000060E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.936810331.00000000061E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.936810331.00000000061E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.924531012.0000000002DA5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.931965501.0000000005110000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.931965501.0000000005110000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.936525996.00000000061A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.936525996.00000000061A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.936631207.00000000061B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.936631207.00000000061B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      Reputation:low

                                                      Analysis Process: dhcpmon.exe PID: 4832 Parent PID: 3424

                                                      General

                                                      Start time:03:19:19
                                                      Start date:10/06/2021
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                      Imagebase:0x330000
                                                      File size:896000 bytes
                                                      MD5 hash:EA153FC5DBC16BCB6987DB3D8AD0E965
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.748959216.00000000029EA000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.775019675.0000000003A82000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: MAL_CRIME_suspicious_hex_string_Jun21_1, Description: Triggers on parts of a big hex string available in lots of crime\'ish PE files., Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Nils Kuhnert
                                                      Antivirus matches:
                                                      • Detection: 13%, ReversingLabs
                                                      Reputation:low

                                                      Analysis Process: powershell.exe PID: 5948 Parent PID: 4832

                                                      General

                                                      Start time:03:19:25
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                      Imagebase:0xf50000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 5856 Parent PID: 5948

                                                      General

                                                      Start time:03:19:26
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: schtasks.exe PID: 2460 Parent PID: 4832

                                                      General

                                                      Start time:03:19:27
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gNhkpKoVomdVye' /XML 'C:\Users\user\AppData\Local\Temp\tmp9713.tmp'
                                                      Imagebase:0xeb0000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 6636 Parent PID: 2460

                                                      General

                                                      Start time:03:19:27
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      Analysis Process: powershell.exe PID: 4484 Parent PID: 4832

                                                      General

                                                      Start time:03:19:28
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\gNhkpKoVomdVye.exe'
                                                      Imagebase:0xf50000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET

                                                      Analysis Process: conhost.exe PID: 4808 Parent PID: 4484

                                                      General

                                                      Start time:03:19:29
                                                      Start date:10/06/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      Analysis Process: dhcpmon.exe PID: 7100 Parent PID: 4832

                                                      General

                                                      Start time:03:19:29
                                                      Start date:10/06/2021
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Imagebase:0x540000
                                                      File size:896000 bytes
                                                      MD5 hash:EA153FC5DBC16BCB6987DB3D8AD0E965
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.748103978.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000017.00000000.712960389.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000017.00000000.720264575.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.777957444.0000000003BB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.776929618.0000000002BB1000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.776929618.0000000002BB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >