Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report pIjxtI0ZlU.exe

Overview

General Information

Sample Name:pIjxtI0ZlU.exe
Analysis ID:432674
MD5:a253962036d634b39e913bc0322584e5
SHA1:769427fca217accda232a61a9796affd6536c24b
SHA256:e6a6126a0e0da3279205a265388761d74ceade122fafc5a393c2d6b9dcc3b8e1
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pIjxtI0ZlU.exe (PID: 5712 cmdline: 'C:\Users\user\Desktop\pIjxtI0ZlU.exe' MD5: A253962036D634B39E913BC0322584E5)
    • powershell.exe (PID: 5868 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4624 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4184 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A8A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2860 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • pIjxtI0ZlU.exe (PID: 2208 cmdline: C:\Users\user\Desktop\pIjxtI0ZlU.exe MD5: A253962036D634B39E913BC0322584E5)
  • dhcpmon.exe (PID: 6304 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A253962036D634B39E913BC0322584E5)
    • powershell.exe (PID: 6432 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6448 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF63.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6604 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: A253962036D634B39E913BC0322584E5)
    • dhcpmon.exe (PID: 6716 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: A253962036D634B39E913BC0322584E5)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "b90524a1-4a4b-41de-ac06-59066a86", "Group": "Panda", "Domain1": "emedoo.ddns.net", "Domain2": "127.0.0.1", "Port": 5230, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "emedoo.ddns.net", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x59eb:$x1: NanoCore.ClientPluginHost
  • 0x5b48:$x2: IClientNetworkHost
00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x59eb:$x2: NanoCore.ClientPluginHost
  • 0x6941:$s3: PipeExists
  • 0x5be1:$s4: PipeCreated
  • 0x5a05:$s5: IClientLoggingHost
00000009.00000002.945200916.0000000005F30000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
00000009.00000002.945200916.0000000005F30000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5fee:$x2: NanoCore.ClientPluginHost
  • 0x9441:$s4: PipeCreated
  • 0x6018:$s5: IClientLoggingHost
00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Click to see the 65 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
9.2.pIjxtI0ZlU.exe.6e80000.32.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x13a8:$x1: NanoCore.ClientPluginHost
9.2.pIjxtI0ZlU.exe.6e80000.32.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x13a8:$x2: NanoCore.ClientPluginHost
  • 0x1486:$s4: PipeCreated
  • 0x13c2:$s5: IClientLoggingHost
9.2.pIjxtI0ZlU.exe.5f0e8a4.24.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x10937:$x1: NanoCore.ClientPluginHost
  • 0x10951:$x2: IClientNetworkHost
9.2.pIjxtI0ZlU.exe.5f0e8a4.24.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x10937:$x2: NanoCore.ClientPluginHost
  • 0x13c74:$s4: PipeCreated
  • 0x10924:$s5: IClientLoggingHost
9.2.pIjxtI0ZlU.exe.4362354.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x41ee:$x1: NanoCore.ClientPluginHost
  • 0x422b:$x2: IClientNetworkHost
Click to see the 172 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\pIjxtI0ZlU.exe, ProcessId: 2208, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\pIjxtI0ZlU.exe, ProcessId: 2208, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

barindex
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\pIjxtI0ZlU.exe' , ParentImage: C:\Users\user\Desktop\pIjxtI0ZlU.exe, ParentProcessId: 5712, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe', ProcessId: 5868

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\pIjxtI0ZlU.exe, ProcessId: 2208, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\pIjxtI0ZlU.exe, ProcessId: 2208, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b90524a1-4a4b-41de-ac06-59066a86", "Group": "Panda", "Domain1": "emedoo.ddns.net", "Domain2": "127.0.0.1", "Port": 5230, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "emedoo.ddns.net", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 34%Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Roaming\cKGPEGrRS.exeMetadefender: Detection: 34%Perma Link
Source: C:\Users\user\AppData\Roaming\cKGPEGrRS.exeReversingLabs: Detection: 64%
Multi AV Scanner detection for submitted fileShow sources
Source: pIjxtI0ZlU.exeMetadefender: Detection: 34%Perma Link
Source: pIjxtI0ZlU.exeReversingLabs: Detection: 64%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.938032088.0000000004294000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.773226669.0000000002CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: pIjxtI0ZlU.exe PID: 2208, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6716, type: MEMORY
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b24629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d2e434.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d2e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.429b521.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b20000.18.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d32a5d.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3dbfc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b20000.18.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.468fc08.2.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\cKGPEGrRS.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: pIjxtI0ZlU.exeJoe Sandbox ML: detected
Source: 18.0.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 18.0.dhcpmon.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 9.0.pIjxtI0ZlU.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 18.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.pIjxtI0ZlU.exe.5b20000.18.unpackAvira: Label: TR/NanoCore.fadte
Source: 9.0.pIjxtI0ZlU.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: pIjxtI0ZlU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: pIjxtI0ZlU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: pIjxtI0ZlU.exe, 00000009.00000002.936110160.0000000003285000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: pIjxtI0ZlU.exe, 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: pIjxtI0ZlU.exe, 00000000.00000002.664838977.0000000005740000.00000002.00000001.sdmp, pIjxtI0ZlU.exe, 00000009.00000002.942840729.0000000005820000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.781746883.0000000004F40000.00000002.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 4x nop then mov esp, ebp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49728 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49730 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49731 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49732 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49733 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49735 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49737 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49738 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49741 -> 79.134.225.70:5230
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 79.134.225.70:5230
C2 URLs / IPs found in malware configurationShow sources
Source: Malware configuration extractorURLs: emedoo.ddns.net
Source: Malware configuration extractorURLs: 127.0.0.1
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: emedoo.ddns.net
Source: global trafficTCP traffic: 192.168.2.4:49728 -> 79.134.225.70:5230
Source: Joe Sandbox ViewIP Address: 79.134.225.70 79.134.225.70
Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_05512B9A WSARecv,
Source: unknownDNS traffic detected: queries for: emedoo.ddns.net
Source: powershell.exe, 00000001.00000003.674766097.0000000000E78000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.922849819.00000000007C6000.00000004.00000020.sdmp, powershell.exe, 00000007.00000002.925476485.000000000074B000.00000004.00000020.sdmp, powershell.exe, 0000000B.00000002.931149439.00000000031C7000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000007.00000003.838577539.0000000008AE5000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
Source: pIjxtI0ZlU.exe, 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: powershell.exe, 00000001.00000003.785021525.0000000007BA2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.838116657.00000000007DE000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.936158924.00000000044F3000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.936782156.00000000045E6000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.934059423.00000000043B1000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.935635530.00000000043B1000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.935204411.0000000004A9C000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.933541670.0000000004B56000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.936782156.00000000045E6000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000003.785021525.0000000007BA2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.838116657.00000000007DE000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.936158924.00000000044F3000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000003.844162824.0000000007C9A000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.ck
Source: powershell.exe, 00000001.00000003.785021525.0000000007BA2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.838116657.00000000007DE000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.936158924.00000000044F3000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000003.802916324.0000000005370000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: dhcpmon.exe, 0000000A.00000002.737183131.0000000000C28000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: pIjxtI0ZlU.exe, 00000009.00000002.938032088.0000000004294000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.938032088.0000000004294000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.773226669.0000000002CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: pIjxtI0ZlU.exe PID: 2208, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6716, type: MEMORY
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b24629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d2e434.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d2e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.429b521.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b20000.18.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d32a5d.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3dbfc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b20000.18.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.468fc08.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.945200916.0000000005F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.936110160.0000000003285000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.944714710.0000000005ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.944949810.0000000005EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.947720444.00000000068F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.948576490.0000000006D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.948873822.0000000006D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.945020551.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.947857649.0000000006910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.949135204.0000000006E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.943137206.0000000005880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.948362673.0000000006BB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.773226669.0000000002CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.947592348.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: pIjxtI0ZlU.exe PID: 2208, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: pIjxtI0ZlU.exe PID: 2208, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6716, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6716, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.6e80000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5f0e8a4.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4362354.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.3.pIjxtI0ZlU.exe.463c68d.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.6bb0000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.6e90000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.437540f.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.68f0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.4362354.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.3.pIjxtI0ZlU.exe.4622636.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.3.pIjxtI0ZlU.exe.4622636.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.6910000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.68f0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.32d4228.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.32d4228.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.6e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.5f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5b24629.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4589f42.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5ed0000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.458ebe1.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.68e0000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4370770.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.6d10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.6bb0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4589f42.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.2d03ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.3d2e434.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.3.pIjxtI0ZlU.exe.463c68d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.3.pIjxtI0ZlU.exe.463c68d.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.5f00000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.3d2e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4370770.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.6d40000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.429b521.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5b20000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.3d32a5d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.68e0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4580d0e.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.5880000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.32bfbf4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.32bfbf4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.6d10000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.3dbfc08.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.dhcpmon.exe.3dbfc08.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.5ed0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.3.pIjxtI0ZlU.exe.4622636.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5f04c9f.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5b20000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.3.pIjxtI0ZlU.exe.4636c61.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.3.pIjxtI0ZlU.exe.4636c61.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.32b39e8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.32bfbf4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.5f30000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.6d40000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.32b39e8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.32b39e8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.pIjxtI0ZlU.exe.5f00000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.3241270.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.pIjxtI0ZlU.exe.4580d0e.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.pIjxtI0ZlU.exe.468fc08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.pIjxtI0ZlU.exe.468fc08.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_018D121A NtQuerySystemInformation,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_018D11E9 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_055113CE NtQuerySystemInformation,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_05511393 NtQuerySystemInformation,
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04D112EA NtQuerySystemInformation,
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04D112B9 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_01910070
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_019119B8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_01910006
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328E768
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03282FB8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328E380
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03281668
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03283968
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03280963
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328ED88
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03280D80
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032819E0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03284808
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032828D0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03286B38
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03284719
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032867A0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032867B0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03281618
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03280A48
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03281659
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03286280
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328AA98
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328C6F8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328A510
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03281D78
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03287570
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03286971
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328B9B0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03286980
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03281990
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032865C8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032855C0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032865D0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032855D0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_032819D0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03282830
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328C010
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328286F
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328F0A0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_0328A4F0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_00E63B1C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0053C160
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00538430
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_005397E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0053F8B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0053BBD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0053DCC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00530040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0053A010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00530040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00530040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_005388A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_005369C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_005369B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0053BBD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00CF77F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00CF77CD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_005570A3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_001BECA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_001BECA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_001BECA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004F8230
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004FC360
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004F95E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004FBDD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004FBDD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004F86A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004F67C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004F67C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004FDCB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004F9D59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_001B81E3
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E8938
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E3850
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E2FA8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E23A0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053EB208
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E9538
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E95FF
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E9DE0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E306F
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_053E984B
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_067982E8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_06796748
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_06795B48
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_06796FF0
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_06791FE8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_06793090
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_06793AA8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_0679969F
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_0679680F
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_06793157
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_067995D8
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_00B43B1C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC28D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC4808
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC19E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC0D80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC3962
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC1668
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC0A48
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC2FB8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04ECE380
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04ECA4A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC5428
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC2830
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04ECC010
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC65CB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC55C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC19D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC65D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC55D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04ECB9B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC6980
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC1D78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC7570
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC6971
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04ECA510
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04ECC6F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC6280
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04ECE698
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04ECAA98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC1659
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC57F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC67A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC67B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC6B38
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC4719
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05460070
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0546191C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05460069
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05461AC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004F3B1C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0318AE0B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0318AD80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F1CE28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F17310
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F13778
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F1758B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F15A78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F1CE28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07E01288
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07E01298
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08193990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_081939F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_081939E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0318769A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_031876A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0318AE48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0819DB67
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0819001B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08190040
Source: pIjxtI0ZlU.exe, 00000000.00000002.664838977.0000000005740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000000.00000002.666762872.00000000063B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000000.00000000.642788114.0000000000F38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDayOfWeek.exe" vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000000.00000002.661540001.00000000037A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCutsAttr.dllH vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000000.00000002.667272410.00000000064A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000000.00000002.667272410.00000000064A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000000.00000002.665961573.0000000005BF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.945200916.0000000005F30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.936110160.0000000003285000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.919241663.0000000000C18000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDayOfWeek.exe" vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.941556876.0000000005500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.943463518.0000000005B10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.935860145.0000000003231000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.938032088.0000000004294000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.942840729.0000000005820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exe, 00000009.00000002.949319211.0000000006EA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exeBinary or memory string: OriginalFilenameDayOfWeek.exe" vs pIjxtI0ZlU.exe
Source: pIjxtI0ZlU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.945200916.0000000005F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.945200916.0000000005F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.936110160.0000000003285000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.944714710.0000000005ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.944714710.0000000005ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.944949810.0000000005EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.944949810.0000000005EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.947720444.00000000068F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.947720444.00000000068F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.948576490.0000000006D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.948576490.0000000006D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.948873822.0000000006D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.948873822.0000000006D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.945020551.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.945020551.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.947857649.0000000006910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.947857649.0000000006910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.949135204.0000000006E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.949135204.0000000006E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.943137206.0000000005880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.943137206.0000000005880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.948362673.0000000006BB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.948362673.0000000006BB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.773226669.0000000002CE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.947592348.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.947592348.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: pIjxtI0ZlU.exe PID: 2208, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: pIjxtI0ZlU.exe PID: 2208, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6716, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6716, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.6e80000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6e80000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5f0e8a4.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5f0e8a4.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4362354.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4362354.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.pIjxtI0ZlU.exe.463c68d.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.3.pIjxtI0ZlU.exe.463c68d.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.6bb0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6bb0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.6e90000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6e90000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.437540f.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.437540f.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.68f0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.68f0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.4362354.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4362354.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.pIjxtI0ZlU.exe.4622636.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.3.pIjxtI0ZlU.exe.4622636.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.pIjxtI0ZlU.exe.4622636.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.6910000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6910000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.68f0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.68f0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.32d4228.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.32d4228.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.32d4228.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.6e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.5f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5b24629.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5b24629.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4589f42.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4589f42.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5ed0000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5ed0000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.458ebe1.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.458ebe1.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.68e0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.68e0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4370770.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4370770.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.6d10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6d10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.6bb0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6bb0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4589f42.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4589f42.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.2d03ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.2d03ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.3d2e434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.3d2e434.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.pIjxtI0ZlU.exe.463c68d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.3.pIjxtI0ZlU.exe.463c68d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.pIjxtI0ZlU.exe.463c68d.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.5f00000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5f00000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.3d2e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.3d2e434.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4370770.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4370770.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.6d40000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6d40000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.429b521.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.429b521.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5b20000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5b20000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.3d32a5d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.3d32a5d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.68e0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.68e0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4580d0e.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4580d0e.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.5880000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5880000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.32bfbf4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.32bfbf4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.32bfbf4.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.6d10000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6d10000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.dhcpmon.exe.3dbfc08.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.dhcpmon.exe.3dbfc08.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.5ed0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5ed0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.3.pIjxtI0ZlU.exe.4622636.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.3.pIjxtI0ZlU.exe.4622636.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5f04c9f.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5f04c9f.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5b20000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5b20000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.pIjxtI0ZlU.exe.4636c61.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.3.pIjxtI0ZlU.exe.4636c61.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.pIjxtI0ZlU.exe.4636c61.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.32b39e8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.32b39e8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.32bfbf4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.32bfbf4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.5f30000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5f30000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.6d40000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.6d40000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.32b39e8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.32b39e8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.32b39e8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.pIjxtI0ZlU.exe.5f00000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.5f00000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.3241270.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.3241270.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.pIjxtI0ZlU.exe.4580d0e.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.pIjxtI0ZlU.exe.4580d0e.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.pIjxtI0ZlU.exe.468fc08.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.pIjxtI0ZlU.exe.468fc08.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: pIjxtI0ZlU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: cKGPEGrRS.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: classification engineClassification label: mal100.troj.evad.winEXE@29/30@13/2
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_018D109E AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_018D1067 AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_0551118E AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_05511157 AdjustTokenPrivileges,
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04D10C2A AdjustTokenPrivileges,
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04D10BF3 AdjustTokenPrivileges,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile created: C:\Program Files (x86)\DHCP Monitor
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile created: C:\Users\user\AppData\Roaming\cKGPEGrRS.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_01
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{b90524a1-4a4b-41de-ac06-59066a861712}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\YwDaYGNlAutIryJGajIIELyw
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6A8A.tmpJump to behavior
Source: pIjxtI0ZlU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: pIjxtI0ZlU.exeMetadefender: Detection: 34%
Source: pIjxtI0ZlU.exeReversingLabs: Detection: 64%
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile read: C:\Users\user\Desktop\pIjxtI0ZlU.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\pIjxtI0ZlU.exe 'C:\Users\user\Desktop\pIjxtI0ZlU.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A8A.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Users\user\Desktop\pIjxtI0ZlU.exe C:\Users\user\Desktop\pIjxtI0ZlU.exe
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF63.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A8A.tmp'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Users\user\Desktop\pIjxtI0ZlU.exe C:\Users\user\Desktop\pIjxtI0ZlU.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF63.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Source: pIjxtI0ZlU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: pIjxtI0ZlU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: pIjxtI0ZlU.exe, 00000009.00000002.936110160.0000000003285000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: pIjxtI0ZlU.exe, 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: pIjxtI0ZlU.exe, 00000000.00000002.664838977.0000000005740000.00000002.00000001.sdmp, pIjxtI0ZlU.exe, 00000009.00000002.942840729.0000000005820000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.781746883.0000000004F40000.00000002.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 0_2_03288971 push esp; iretd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0053A360 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0055DEA1 push esp; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0055DF21 push eax; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00CF2F52 push FFFFFF8Bh; iretd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004FA16F push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_004F3670 push eax; retn 0019h
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_014F769F push es; ret
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_014F9DEC pushfd ; retf
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_014F9E24 pushfd ; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04EC8971 push esp; iretd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00C1B167 push edi; retn 0000h
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00C1B177 push edi; retn 0000h
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00C1D241 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00C1B3F0 pushad ; retn 0000h
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00C1D4B1 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00C1E721 push ss; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F1A360 push eax; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F1A401 push eax; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F1E5B0 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F10A6A push eax; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F10A20 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F1F358 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F1F348 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F10840 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_07E00C10 pushad ; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0819A828 pushad ; retf 0000h
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08194910 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0819392D push esp; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08193940 push esp; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08197B11 push ss; retf 0000h
Source: initial sampleStatic PE information: section name: .text entropy: 7.81196430764
Source: initial sampleStatic PE information: section name: .text entropy: 7.81196430764
Source: initial sampleStatic PE information: section name: .text entropy: 7.81196430764
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile created: C:\Users\user\AppData\Roaming\cKGPEGrRS.exeJump to dropped file
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A8A.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeFile opened: C:\Users\user\Desktop\pIjxtI0ZlU.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3Show sources
Source: Yara matchFile source: 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORY
Source: Yara matchFile source: Process Memory Space: pIjxtI0ZlU.exe PID: 5712, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: pIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3043
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4242
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3668
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3614
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3233
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1598
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 883
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 709
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exe TID: 808Thread sleep time: -104741s >= -30000s
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exe TID: 808Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exe TID: 2440Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3436Thread sleep count: 3668 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2896Thread sleep count: 3484 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep count: 77 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7060Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7060Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5800Thread sleep count: 3614 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4296Thread sleep count: 3233 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4240Thread sleep count: 51 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7100Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7100Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7100Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exe TID: 5164Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exe TID: 4500Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exe TID: 4044Thread sleep time: -1340000s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6308Thread sleep time: -99751s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6308Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6336Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6856Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6692Thread sleep count: 709 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6692Thread sleep count: 331 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep count: 57 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6884Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_05510E1A GetSystemInfo,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeThread delayed: delay time: 104741
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeThread delayed: delay time: 30000
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 99751
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 30000
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000007.00000002.936158924.00000000044F3000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.936939510.0000000004DBA000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.936263405.0000000004E16000.00000004.00000001.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 0000000B.00000002.936939510.0000000004DBA000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.936263405.0000000004E16000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: pIjxtI0ZlU.exe, 00000009.00000002.949319211.0000000006EA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: vmware
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pIjxtI0ZlU.exe, 00000009.00000002.949319211.0000000006EA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: pIjxtI0ZlU.exe, 00000009.00000002.949319211.0000000006EA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: pIjxtI0ZlU.exe, 00000009.00000002.949319211.0000000006EA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows DefenderShow sources
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeMemory written: C:\Users\user\Desktop\pIjxtI0ZlU.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A8A.tmp'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeProcess created: C:\Users\user\Desktop\pIjxtI0ZlU.exe C:\Users\user\Desktop\pIjxtI0ZlU.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF63.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: pIjxtI0ZlU.exe, 00000009.00000003.662675630.0000000001271000.00000004.00000001.sdmpBinary or memory string: Program ManagerLISTLISTLIST<
Source: powershell.exe, 00000003.00000002.933600206.0000000002FA0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.935294577.0000000002FA0000.00000002.00000001.sdmp, pIjxtI0ZlU.exe, 00000009.00000002.936877000.00000000033D6000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.933085009.0000000003490000.00000002.00000001.sdmp, powershell.exe, 0000000F.00000002.929722446.0000000003530000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: pIjxtI0ZlU.exe, 00000009.00000002.936877000.00000000033D6000.00000004.00000001.sdmpBinary or memory string: Program ManagerhJ
Source: powershell.exe, 00000003.00000002.933600206.0000000002FA0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.935294577.0000000002FA0000.00000002.00000001.sdmp, pIjxtI0ZlU.exe, 00000009.00000002.930041789.0000000001990000.00000002.00000001.sdmp, powershell.exe, 0000000B.00000002.933085009.0000000003490000.00000002.00000001.sdmp, powershell.exe, 0000000F.00000002.929722446.0000000003530000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000003.00000002.933600206.0000000002FA0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.935294577.0000000002FA0000.00000002.00000001.sdmp, pIjxtI0ZlU.exe, 00000009.00000002.930041789.0000000001990000.00000002.00000001.sdmp, powershell.exe, 0000000B.00000002.933085009.0000000003490000.00000002.00000001.sdmp, powershell.exe, 0000000F.00000002.929722446.0000000003530000.00000002.00000001.sdmpBinary or memory string: Progman
Source: powershell.exe, 00000003.00000002.933600206.0000000002FA0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.935294577.0000000002FA0000.00000002.00000001.sdmp, pIjxtI0ZlU.exe, 00000009.00000002.930041789.0000000001990000.00000002.00000001.sdmp, powershell.exe, 0000000B.00000002.933085009.0000000003490000.00000002.00000001.sdmp, powershell.exe, 0000000F.00000002.929722446.0000000003530000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_055131B6 GetSystemTimes,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_010CAF9A GetUserNameW,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.938032088.0000000004294000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.773226669.0000000002CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: pIjxtI0ZlU.exe PID: 2208, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6716, type: MEMORY
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b24629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d2e434.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d2e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.429b521.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b20000.18.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d32a5d.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3dbfc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b20000.18.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.468fc08.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: pIjxtI0ZlU.exe, 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: pIjxtI0ZlU.exe, 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: pIjxtI0ZlU.exe, 00000009.00000002.935860145.0000000003231000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.938032088.0000000004294000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.773226669.0000000002CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: pIjxtI0ZlU.exe PID: 2208, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6716, type: MEMORY
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3f0bca8.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d295fe.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3f0bca8.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b24629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.4296ef8.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d2e434.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d2e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.47dbca8.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.429b521.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b20000.18.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.3d32a5d.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.0.pIjxtI0ZlU.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 10.2.dhcpmon.exe.3dbfc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.pIjxtI0ZlU.exe.5b20000.18.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.0.pIjxtI0ZlU.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.pIjxtI0ZlU.exe.468fc08.2.raw.unpack, type: UNPACKEDPE
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_055126DE bind,
Source: C:\Users\user\Desktop\pIjxtI0ZlU.exeCode function: 9_2_0551268C bind,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools11Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSystem Information Discovery14Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery221SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432674 Sample: pIjxtI0ZlU.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 61 emedoo.ddns.net 2->61 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 13 other signatures 2->75 8 pIjxtI0ZlU.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 47 C:\Users\user\AppData\Roaming\cKGPEGrRS.exe, PE32 8->47 dropped 49 C:\Users\...\cKGPEGrRS.exe:Zone.Identifier, ASCII 8->49 dropped 51 C:\Users\user\AppData\Local\...\tmp6A8A.tmp, XML 8->51 dropped 53 C:\Users\user\AppData\...\pIjxtI0ZlU.exe.log, ASCII 8->53 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 79 Adds a directory exclusion to Windows Defender 8->79 81 Injects a PE file into a foreign processes 8->81 14 pIjxtI0ZlU.exe 8->14         started        19 powershell.exe 23 8->19         started        21 powershell.exe 24 8->21         started        29 2 other processes 8->29 23 powershell.exe 12->23         started        25 schtasks.exe 12->25         started        27 powershell.exe 12->27         started        31 2 other processes 12->31 signatures6 process7 dnsIp8 63 emedoo.ddns.net 79.134.225.70, 49728, 49730, 49731 FINK-TELECOM-SERVICESCH Switzerland 14->63 65 192.168.2.1 unknown unknown 14->65 55 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->55 dropped 57 C:\Users\user\AppData\Roaming\...\run.dat, data 14->57 dropped 59 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 14->59 dropped 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->67 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 29->45         started        file9 signatures10 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pIjxtI0ZlU.exe40%MetadefenderBrowse
pIjxtI0ZlU.exe64%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
pIjxtI0ZlU.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\cKGPEGrRS.exe100%Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe40%MetadefenderBrowse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe64%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\cKGPEGrRS.exe40%MetadefenderBrowse
C:\Users\user\AppData\Roaming\cKGPEGrRS.exe64%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
18.0.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
9.2.pIjxtI0ZlU.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
18.0.dhcpmon.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
9.0.pIjxtI0ZlU.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
18.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
9.2.pIjxtI0ZlU.exe.5b20000.18.unpack100%AviraTR/NanoCore.fadteDownload File
9.0.pIjxtI0ZlU.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
emedoo.ddns.net0%Avira URL Cloudsafe
http://crl.m0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://www.microsoft.ck0%Avira URL Cloudsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
127.0.0.10%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
emedoo.ddns.net
79.134.225.70
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    emedoo.ddns.nettrue
    • Avira URL Cloud: safe
    		unknown
    127.0.0.1true
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.mpowershell.exe, 00000007.00000003.838577539.0000000008AE5000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000003.785021525.0000000007BA2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.838116657.00000000007DE000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.936158924.00000000044F3000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.936782156.00000000045E6000.00000004.00000001.sdmpfalse
      		high
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.934059423.00000000043B1000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.935635530.00000000043B1000.00000004.00000001.sdmp, powershell.exe, 0000000B.00000002.935204411.0000000004A9C000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.933541670.0000000004B56000.00000004.00000001.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000003.785021525.0000000007BA2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.838116657.00000000007DE000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.936158924.00000000044F3000.00000004.00000001.sdmpfalse
          		high
          http://www.microsoft.ckpowershell.exe, 00000003.00000003.844162824.0000000007C9A000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://go.micropowershell.exe, 00000001.00000003.802916324.0000000005370000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000001.00000003.785021525.0000000007BA2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.838116657.00000000007DE000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.936158924.00000000044F3000.00000004.00000001.sdmpfalse
            		high
            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csspIjxtI0ZlU.exe, 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.936782156.00000000045E6000.00000004.00000001.sdmpfalse
                		high

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                79.134.225.70
                		emedoo.ddns.netSwitzerland
                		6775FINK-TELECOM-SERVICESCHtrue

                Private

                IP
                192.168.2.1

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:432674
                Start date:10.06.2021
                Start time:16:42:19
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 15m 19s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:pIjxtI0ZlU.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@29/30@13/2
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                Warnings:
                Show All
                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • TCP Packets have been reduced to 100
                • Exclude process from analysis (whitelisted): WmiPrvSE.exe
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/432674/sample/pIjxtI0ZlU.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                16:43:05API Interceptor466x Sleep call for process: pIjxtI0ZlU.exe modified
                16:43:16AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                16:43:26API Interceptor2x Sleep call for process: dhcpmon.exe modified
                16:43:57API Interceptor188x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                79.134.225.70Transcation23032021pdf.exeGet hashmaliciousBrowse
                  Scanpdf04232021.exeGet hashmaliciousBrowse
                    New Tender04,pdf.exeGet hashmaliciousBrowse
                      dL1JMb6Tx6.exeGet hashmaliciousBrowse
                        03_extracted.exeGet hashmaliciousBrowse
                          ntfsmgr.jarGet hashmaliciousBrowse
                            myups.exeGet hashmaliciousBrowse
                              Inv!Overdues.xlsxGet hashmaliciousBrowse
                                remittance.jarGet hashmaliciousBrowse
                                  https://atlashotel.co.ukGet hashmaliciousBrowse
                                    https://atlashotel.co.ukGet hashmaliciousBrowse
                                      https://atlashotel.co.uk/Get hashmaliciousBrowse
                                        https://onedrive.live.com/download?cid=61A1A28AC02783D7&resid=61A1A28AC02783D7%2521106&authkey=ANNsUsrVD6AJ5Z8Get hashmaliciousBrowse
                                          https://specoriginalsltd.co.uk/Get hashmaliciousBrowse
                                            https://specoriginalsltd.co.uk/Get hashmaliciousBrowse
                                              https://ausbuildproltd.com/Get hashmaliciousBrowse
                                                43Purchase 0rder Number POE 009389629 M89.exeGet hashmaliciousBrowse
                                                  25Img-cheque53.jpg.lnkGet hashmaliciousBrowse
                                                    11Img-Cheque.jpg.lnkGet hashmaliciousBrowse
                                                      59EFT voucher_eft-234GF.exeGet hashmaliciousBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        emedoo.ddns.netRe R new proforma.exeGet hashmaliciousBrowse
                                                        • 185.140.53.138
                                                        Devizni izvod za partiju 0050100073053.exeGet hashmaliciousBrowse
                                                        • 79.134.225.71

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        FINK-TELECOM-SERVICESCHdYy3yfSkwY.exeGet hashmaliciousBrowse
                                                        • 79.134.225.90
                                                        Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                        • 79.134.225.90
                                                        ZVFVY7NwZ7.exeGet hashmaliciousBrowse
                                                        • 79.134.225.90
                                                        0jyrU2E05S.exeGet hashmaliciousBrowse
                                                        • 79.134.225.72
                                                        kyIfnzzg3E.exeGet hashmaliciousBrowse
                                                        • 79.134.225.90
                                                        Ref 0180066743.xlsxGet hashmaliciousBrowse
                                                        • 79.134.225.90
                                                        MS2106071066.exeGet hashmaliciousBrowse
                                                        • 79.134.225.71
                                                        Kangean PO.docGet hashmaliciousBrowse
                                                        • 79.134.225.72
                                                        facture.jarGet hashmaliciousBrowse
                                                        • 79.134.225.69
                                                        c3yBu1IF57.exeGet hashmaliciousBrowse
                                                        • 79.134.225.92
                                                        DPSGNwkO1Z.exeGet hashmaliciousBrowse
                                                        • 79.134.225.25
                                                        SecuriteInfo.com.Trojan.Win32.Save.a.16917.exeGet hashmaliciousBrowse
                                                        • 79.134.225.94
                                                        AedJpyQ9lM.exeGet hashmaliciousBrowse
                                                        • 79.134.225.90
                                                        H538065217Invoice.exeGet hashmaliciousBrowse
                                                        • 79.134.225.9
                                                        Purchase Order Price List.xlsxGet hashmaliciousBrowse
                                                        • 79.134.225.90
                                                        P.I-84512.docGet hashmaliciousBrowse
                                                        • 79.134.225.41
                                                        l00VLAF9y0xQ9Vr.exeGet hashmaliciousBrowse
                                                        • 79.134.225.92
                                                        Swift [ref QT #U2013 2102001-R2]pdf.exeGet hashmaliciousBrowse
                                                        • 79.134.225.10
                                                        PO756654.exeGet hashmaliciousBrowse
                                                        • 79.134.225.99
                                                        qdFDmi3Bhy.exeGet hashmaliciousBrowse
                                                        • 79.134.225.90

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):872960
                                                        Entropy (8bit):7.804008605753687
                                                        Encrypted:false
                                                        SSDEEP:24576:sTG4f1eyPqmm+zEXrT+LURFgLL43PpFUoEn7:oGoFmTrT+LUgLLr7
                                                        MD5:A253962036D634B39E913BC0322584E5
                                                        SHA1:769427FCA217ACCDA232A61A9796AFFD6536C24B
                                                        SHA-256:E6A6126A0E0DA3279205A265388761D74CEADE122FAFC5A393C2D6B9DCC3B8E1
                                                        SHA-512:B23F44D6C1449F9268CF9ACC75ABB3F7402A8721BAC4BBE026EC8DC5F87FF3D576146E346D96A45F108D01A1B1AFC956C14E476A86C4A3D4E32E07C42F3301FF
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: Metadefender, Detection: 40%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 64%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..`..............P..F...........e... ........... ....................................@.................................`e..O.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............P..............@..B.................e......H........;..x.......f....K..h.............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*&..(,....*...0..<........~.....(-.....,!r...p.....(....o/...s0............~.....+..*.0...........~.....+..*".......*.0...........(....r5..p~....o1....+..*...0..<........~.....(-.....,!rG..p.....(.
                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):525
                                                        Entropy (8bit):5.2874233355119316
                                                        Encrypted:false
                                                        SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                        MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                        SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                        SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                        SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                        Malicious:false
                                                        Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\pIjxtI0ZlU.exe.log
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):525
                                                        Entropy (8bit):5.2874233355119316
                                                        Encrypted:false
                                                        SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                        MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                        SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                        SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                        SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                        Malicious:true
                                                        Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):15432
                                                        Entropy (8bit):5.013651254695938
                                                        Encrypted:false
                                                        SSDEEP:384:Jib44EdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:0YV3IpNBQkj2Yh4iUxZvuiOOdBCNZlYO
                                                        MD5:96C8600F85FEE8291031FEE1B9C99641
                                                        SHA1:A902BA7EC2DE98ED7A6A146748128FE9D9ACFD98
                                                        SHA-256:F04CBAE3845B54695F75A170593B854D7860E5FE3CA09AC8898E3A83528D207A
                                                        SHA-512:6795F6F6963E61E7D0711D2D4E375BBB0A527B8E1EAE0D687517832BDAF500F6D49E4A144F0133C4A4373CCBC22D769E6490150A816B05CF57014C43A8F4F021
                                                        Malicious:false
                                                        Preview: PSMODULECACHE.............a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........D..........C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation........PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command..
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2eauonq5.sf4.psm1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45xdmgad.ne3.psm1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qishmbi.mwv.ps1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvvweyxm.cq0.ps1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0jcxbvr.oaj.ps1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ls4citrk.03p.psm1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3xc3fy5.3rw.psm1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfw4koet.qzi.ps1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwxtwu25.t5k.psm1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3dvtdlu.gel.ps1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\tmp6A8A.tmp
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1642
                                                        Entropy (8bit):5.179190126981541
                                                        Encrypted:false
                                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGBOtn:cbhK79lNQR/rydbz9I3YODOLNdq30o
                                                        MD5:8B6094474FC32FB3A4338E648AAAF862
                                                        SHA1:BDE51867C9528169C7AD3766895AC3ADA53234D7
                                                        SHA-256:6816C07A604CA2CAEFAF5591A5ECF8FF1C97AC93408FE1B1CCC64DF50C8FF134
                                                        SHA-512:1FBB311203B2EFA27C18F07CFB64887C458F534A7A636D762B37A7E058FE84195208E58CE46FEAFCBACD33C6EA10FA5476E37D899FDB5C0FD3AE564D46EC5C88
                                                        Malicious:true
                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                        C:\Users\user\AppData\Local\Temp\tmpAF63.tmp
                                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1642
                                                        Entropy (8bit):5.179190126981541
                                                        Encrypted:false
                                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGBOtn:cbhK79lNQR/rydbz9I3YODOLNdq30o
                                                        MD5:8B6094474FC32FB3A4338E648AAAF862
                                                        SHA1:BDE51867C9528169C7AD3766895AC3ADA53234D7
                                                        SHA-256:6816C07A604CA2CAEFAF5591A5ECF8FF1C97AC93408FE1B1CCC64DF50C8FF134
                                                        SHA-512:1FBB311203B2EFA27C18F07CFB64887C458F534A7A636D762B37A7E058FE84195208E58CE46FEAFCBACD33C6EA10FA5476E37D899FDB5C0FD3AE564D46EC5C88
                                                        Malicious:false
                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2320
                                                        Entropy (8bit):7.024371743172393
                                                        Encrypted:false
                                                        SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwh:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                                        MD5:0FBED11864C03FDED0E70014DCF84578
                                                        SHA1:453723D938A03252F705B0A104986FE4C5CA7056
                                                        SHA-256:70F5E49EE3091777827ED661B63842061220C899A708860986E9AA1BD87C5004
                                                        SHA-512:DB53E3F1D18171F1D86C1B9BBF6BBD07153FC3E561834A35834BC0CA1E034FEDCD83AAAE7EDF9262C4E175C3D2287B647F55282E49627EAAF587F43714204667
                                                        Malicious:false
                                                        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8
                                                        Entropy (8bit):3.0
                                                        Encrypted:false
                                                        SSDEEP:3:927J8t:U7+
                                                        MD5:A809CC4AB3446553E27FD56631548E89
                                                        SHA1:059B4901CCB5ADAC8DB1B1405C9981704562A033
                                                        SHA-256:8EF32C0109E66CB0F663793C1CAD8823E42A41DECA38E1F3641631A103F5D94C
                                                        SHA-512:A394735C84D711B7FC2818A2EC3146158B9A78968DDD2973792617E4390CBEBE04F78DD68218CAC19EA746B1E9B6A2FD04CEA92CBFDE38D347CC32828256D473
                                                        Malicious:true
                                                        Preview: ..X..,.H
                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):40
                                                        Entropy (8bit):5.153055907333276
                                                        Encrypted:false
                                                        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                        MD5:4E5E92E2369688041CC82EF9650EDED2
                                                        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                        Malicious:false
                                                        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):426840
                                                        Entropy (8bit):7.999608491116724
                                                        Encrypted:true
                                                        SSDEEP:12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
                                                        MD5:963D5E2C9C0008DFF05518B47C367A7F
                                                        SHA1:C183D601FABBC9AC8FBFA0A0937DECC677535E74
                                                        SHA-256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
                                                        SHA-512:0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
                                                        Malicious:false
                                                        Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                                        C:\Users\user\AppData\Roaming\cKGPEGrRS.exe
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):872960
                                                        Entropy (8bit):7.804008605753687
                                                        Encrypted:false
                                                        SSDEEP:24576:sTG4f1eyPqmm+zEXrT+LURFgLL43PpFUoEn7:oGoFmTrT+LUgLLr7
                                                        MD5:A253962036D634B39E913BC0322584E5
                                                        SHA1:769427FCA217ACCDA232A61A9796AFFD6536C24B
                                                        SHA-256:E6A6126A0E0DA3279205A265388761D74CEADE122FAFC5A393C2D6B9DCC3B8E1
                                                        SHA-512:B23F44D6C1449F9268CF9ACC75ABB3F7402A8721BAC4BBE026EC8DC5F87FF3D576146E346D96A45F108D01A1B1AFC956C14E476A86C4A3D4E32E07C42F3301FF
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: Metadefender, Detection: 40%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 64%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..`..............P..F...........e... ........... ....................................@.................................`e..O.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............P..............@..B.................e......H........;..x.......f....K..h.............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*&..(,....*...0..<........~.....(-.....,!r...p.....(....o/...s0............~.....+..*.0...........~.....+..*".......*.0...........(....r5..p~....o1....+..*...0..<........~.....(-.....,!rG..p.....(.
                                                        C:\Users\user\AppData\Roaming\cKGPEGrRS.exe:Zone.Identifier
                                                        Process:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                        C:\Users\user\Documents\20210610\PowerShell_transcript.618321.3dgWtHGR.20210610164313.txt
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1520
                                                        Entropy (8bit):5.345603285666763
                                                        Encrypted:false
                                                        SSDEEP:24:BxSAY7vBZCF+x2DOXUWeSuaBeW4HjeTKKjX4CIym1ZJXJuaBDxSAZC7vBZCF+x24:BZWvjCMoO+ShJ4qDYB1ZXhDZCvjCMoOj
                                                        MD5:A5A4E8D5C02F3E9236B780EA46191D18
                                                        SHA1:58496ACFDC13A3240EBCE1A929749C3A55503884
                                                        SHA-256:91892DD90697543A0F35F38678F9CFCB9DFEACA24D614370F3FC75D9456B6034
                                                        SHA-512:8488944B4DD144A8373E8B3F2A1E8174C4E0F9D180E58B11FB84A42936218F04A89321BC5D43B64F9B1283A465004EFEE75A400B928B156A5BA628720820D000
                                                        Malicious:false
                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610164340..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 618321 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cKGPEGrRS.exe..Process ID: 2860..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610164343..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cKGPEGrRS.exe..**********************..Windows PowerShell transcript start..Start time: 20210610165105..Username: computer\user..RunAs User: computer\user.
                                                        C:\Users\user\Documents\20210610\PowerShell_transcript.618321.78lZVBm4.20210610164310.txt
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):2823
                                                        Entropy (8bit):5.436494782453794
                                                        Encrypted:false
                                                        SSDEEP:48:BZGvjCMoO+ShJsqDYB1ZzhDZevjCMoO+ShJsqDYB1ZEFDtich+3Ntich+3N:BZqjCMNHeqDo1ZdDZSjCMNHeqDo1Z+aw
                                                        MD5:C666C3F68F4928C6D7363CB2BBB1E5CD
                                                        SHA1:75912C9F9E3BDCEFFC190B2057B5157934CEF20A
                                                        SHA-256:58653F4998E5D79E9D3A6EC13C3FF345EFCE8374BAE235D6DAAE1D02CC10D9AD
                                                        SHA-512:981F7FDACE34F8E41C9337450BD7C9E66567BEDC3AFD2C41ABDF6E45046A2E8144E4B09D3235EF83CA4CF77D5C6AC59677DFC816A90249881E37B278A2CEC9D2
                                                        Malicious:false
                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610164335..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 618321 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cKGPEGrRS.exe..Process ID: 4624..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610164336..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cKGPEGrRS.exe..**********************..Windows PowerShell transcript start..Start time: 20210610165138..Username: computer\user..RunAs User: computer\user.
                                                        C:\Users\user\Documents\20210610\PowerShell_transcript.618321.MsaG93zL.20210610164344.txt
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):844
                                                        Entropy (8bit):5.324758790991886
                                                        Encrypted:false
                                                        SSDEEP:24:BxSAF7vBZCF+x2DOXUWeSuaBeWDHjeTKKjX4CIym1ZJXqPVuaBy:BZxvjCMoO+ShJDqDYB1Zyhy
                                                        MD5:9A236061426BE1A5D92F02F7B0051A18
                                                        SHA1:B192D64602542CBCFEF1E92C977C824743404EC2
                                                        SHA-256:ADD10A80772094E571CF9616387E3E2489534E63E4BE806B736CEB3519E92793
                                                        SHA-512:AD2350601CE722BA10A9984636EB6282B1909FFA4440EF6251A4BBBB965859D6C2D5CE92283C4EED1DF67EC060BA09F1426C32443E2F028CF730541E287BA56C
                                                        Malicious:false
                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610164440..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 618321 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cKGPEGrRS.exe..Process ID: 6584..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610164441..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cKGPEGrRS.exe..
                                                        C:\Users\user\Documents\20210610\PowerShell_transcript.618321.izxR1blY.20210610164310.txt
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):5079
                                                        Entropy (8bit):5.416594602844092
                                                        Encrypted:false
                                                        SSDEEP:96:BZtjCMNyqDo1ZNZ0jCMNyqDo1Z4oiQjZZjCMNyqDo1ZH5A9:kjoa
                                                        MD5:CD8A5E0B4479AD8E27E91127BA4E296A
                                                        SHA1:953C54B8E93EE7F2FB7E936DDF1FE497A3DA826B
                                                        SHA-256:85E0B6834BE209908470F6516551D35D85936E61B4177A777BE451D4E7A85301
                                                        SHA-512:5AEB1A1ABF69A1AF0455F2A4180506B7DFF6C034E964BBFDF8056397C602CBCB481F6D64441D3A5256C1BBEEF285537DF2CC1F2D022560375AC6836C98592F65
                                                        Malicious:false
                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610164332..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 618321 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\pIjxtI0ZlU.exe..Process ID: 5868..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610164333..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\pIjxtI0ZlU.exe..**********************..Windows PowerShell transcript start..Start time: 20210610165114..Username: computer\user..RunAs User: computer\user..Configuration
                                                        C:\Users\user\Documents\20210610\PowerShell_transcript.618321.nB5QM3Ux.20210610164336.txt
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):850
                                                        Entropy (8bit):5.32274872558091
                                                        Encrypted:false
                                                        SSDEEP:24:BxSAIN7vBZCF+x2DOXUWeSur+WRHjeTKKjX4CIym1ZJXgFurS:BZsvjCMoO+SepRqDYB1Z2eS
                                                        MD5:B564DF21F06DDE543264248679CBAA90
                                                        SHA1:C0CB3985420035D6F4BEB0D5C1A7C93ED629AA84
                                                        SHA-256:B623138C11C1783DAB074FDF22F39004358FDD2A4294032CA43FD2D9E8596467
                                                        SHA-512:B24C49E5BE23EE343869C2A8AFDF8E218905888251AAD4C27631F12FF5EC7D667C43BB3D83303456F1FADE2988E4C0576B544AF962E0C580C584EE27E5C0945B
                                                        Malicious:false
                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210610164438..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 618321 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..Process ID: 6432..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210610164438..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.804008605753687
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:pIjxtI0ZlU.exe
                                                        File size:872960
                                                        MD5:a253962036d634b39e913bc0322584e5
                                                        SHA1:769427fca217accda232a61a9796affd6536c24b
                                                        SHA256:e6a6126a0e0da3279205a265388761d74ceade122fafc5a393c2d6b9dcc3b8e1
                                                        SHA512:b23f44d6c1449f9268cf9acc75abb3f7402a8721bac4bbe026ec8dc5f87ff3d576146e346d96a45f108d01a1b1afc956c14e476a86c4a3d4e32e07c42f3301ff
                                                        SSDEEP:24576:sTG4f1eyPqmm+zEXrT+LURFgLL43PpFUoEn7:oGoFmTrT+LUgLLr7
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..`..............P..F...........e... ........... ....................................@................................

                                                        File Icon

                                                        Icon Hash:00828e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x110d65b2
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x11000000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x60B49D5A [Mon May 31 08:24:58 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v2.0.50727
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [11002000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd65600x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x68c.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xd45b80xd4600False0.864505545541data7.81196430764IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xd80000x68c0x800False0.373046875data3.67984589901IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_VERSION0xd80900x3fadata
                                                        RT_MANIFEST0xd849c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyright2009
                                                        Assembly Version1.1.7821.20549
                                                        InternalNameDayOfWeek.exe
                                                        FileVersion1.1.7821.20549
                                                        CompanyNameTransTech Software, Inc.
                                                        LegalTrademarks
                                                        CommentsContains Objects Meant to Facilitate the Manipulation of Barcodes of Diverse Formats
                                                        ProductName
                                                        ProductVersion1.1.7821.20549
                                                        FileDescriptionBARCODES
                                                        OriginalFilenameDayOfWeek.exe

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        06/10/21-16:43:16.181856TCP2025019ET TROJAN Possible NanoCore C2 60B497285230192.168.2.479.134.225.70
                                                        06/10/21-16:43:24.245980TCP2025019ET TROJAN Possible NanoCore C2 60B497305230192.168.2.479.134.225.70
                                                        06/10/21-16:43:32.581695TCP2025019ET TROJAN Possible NanoCore C2 60B497315230192.168.2.479.134.225.70
                                                        06/10/21-16:43:41.654459TCP2025019ET TROJAN Possible NanoCore C2 60B497325230192.168.2.479.134.225.70
                                                        06/10/21-16:43:51.838026TCP2025019ET TROJAN Possible NanoCore C2 60B497335230192.168.2.479.134.225.70
                                                        06/10/21-16:44:00.160563TCP2025019ET TROJAN Possible NanoCore C2 60B497355230192.168.2.479.134.225.70
                                                        06/10/21-16:44:09.365596TCP2025019ET TROJAN Possible NanoCore C2 60B497365230192.168.2.479.134.225.70
                                                        06/10/21-16:44:25.075133TCP2025019ET TROJAN Possible NanoCore C2 60B497375230192.168.2.479.134.225.70
                                                        06/10/21-16:44:35.323686TCP2025019ET TROJAN Possible NanoCore C2 60B497385230192.168.2.479.134.225.70
                                                        06/10/21-16:44:45.292661TCP2025019ET TROJAN Possible NanoCore C2 60B497395230192.168.2.479.134.225.70
                                                        06/10/21-16:44:55.386230TCP2025019ET TROJAN Possible NanoCore C2 60B497405230192.168.2.479.134.225.70
                                                        06/10/21-16:45:12.434729TCP2025019ET TROJAN Possible NanoCore C2 60B497415230192.168.2.479.134.225.70
                                                        06/10/21-16:45:35.247464TCP2025019ET TROJAN Possible NanoCore C2 60B497425230192.168.2.479.134.225.70

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 10, 2021 16:43:16.024492979 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.113758087 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.113936901 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.181855917 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.294272900 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.294373989 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.432559967 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.432707071 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.522967100 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.526746988 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.678693056 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.678771973 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.818378925 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.818485975 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.864856005 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.864876986 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.864892960 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.864916086 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.864940882 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.864975929 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.865078926 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.865109921 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.865670919 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.865705013 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.865794897 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.866991043 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.867013931 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.867182970 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.867711067 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.868005037 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.955205917 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.955363989 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.956078053 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.956505060 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.957096100 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.957200050 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.957225084 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.958020926 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.958456039 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.958506107 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.958832979 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.959007978 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.959086895 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.959183931 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.959244013 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.960151911 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.960357904 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.960694075 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.961189985 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.961616993 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.962091923 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.962137938 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.962249041 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.963211060 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.963277102 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.963614941 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.963697910 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.964103937 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.964195013 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.964644909 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.965117931 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.965162992 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.966207027 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.966310024 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:16.966613054 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:16.967576027 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.044435978 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.044728041 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.044868946 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.044939041 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.046880007 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.046961069 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.048396111 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.048487902 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.049957991 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.050033092 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.050471067 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.050563097 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.051470041 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.051630020 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.051913023 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.051989079 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.052479029 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.052566051 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.052972078 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.053143024 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.053404093 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.053476095 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.054542065 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.054776907 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.055052996 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.055092096 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.055164099 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.055660963 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.056015015 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.056274891 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.056476116 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.057106018 CEST52304972879.134.225.70192.168.2.4
                                                        Jun 10, 2021 16:43:17.057240009 CEST497285230192.168.2.479.134.225.70
                                                        Jun 10, 2021 16:43:17.057610035 CEST52304972879.134.225.70192.168.2.4

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 10, 2021 16:43:15.909375906 CEST4925753192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:43:15.982986927 CEST53492578.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:43:24.033548117 CEST5585453192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:43:24.096941948 CEST53558548.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:43:32.141026020 CEST6454953192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:43:32.200649023 CEST53645498.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:43:40.648566961 CEST6315353192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:43:40.710187912 CEST53631538.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:43:51.682612896 CEST5299153192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:43:51.741216898 CEST53529918.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:43:59.743705034 CEST5172653192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:43:59.802645922 CEST53517268.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:44:08.700932980 CEST5679453192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:44:08.761003017 CEST53567948.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:44:24.462752104 CEST5653453192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:44:24.524466991 CEST53565348.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:44:34.109848022 CEST5662753192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:44:34.170095921 CEST53566278.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:44:44.421998978 CEST5662153192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:44:44.480829954 CEST53566218.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:44:54.815670967 CEST6311653192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:44:54.875230074 CEST53631168.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:45:10.016948938 CEST6407853192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:45:10.075479984 CEST53640788.8.4.4192.168.2.4
                                                        Jun 10, 2021 16:45:35.085431099 CEST6480153192.168.2.48.8.4.4
                                                        Jun 10, 2021 16:45:35.148183107 CEST53648018.8.4.4192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jun 10, 2021 16:43:15.909375906 CEST192.168.2.48.8.4.40xf40cStandard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:24.033548117 CEST192.168.2.48.8.4.40xd569Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:32.141026020 CEST192.168.2.48.8.4.40x17dcStandard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:40.648566961 CEST192.168.2.48.8.4.40xc42cStandard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:51.682612896 CEST192.168.2.48.8.4.40xe131Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:59.743705034 CEST192.168.2.48.8.4.40x4168Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:08.700932980 CEST192.168.2.48.8.4.40x93f6Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:24.462752104 CEST192.168.2.48.8.4.40x9607Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:34.109848022 CEST192.168.2.48.8.4.40x9bb7Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:44.421998978 CEST192.168.2.48.8.4.40x2cbcStandard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:54.815670967 CEST192.168.2.48.8.4.40x78a7Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:45:10.016948938 CEST192.168.2.48.8.4.40xbd06Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:45:35.085431099 CEST192.168.2.48.8.4.40x2836Standard query (0)emedoo.ddns.netA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jun 10, 2021 16:43:15.982986927 CEST8.8.4.4192.168.2.40xf40cNo error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:24.096941948 CEST8.8.4.4192.168.2.40xd569No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:32.200649023 CEST8.8.4.4192.168.2.40x17dcNo error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:40.710187912 CEST8.8.4.4192.168.2.40xc42cNo error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:51.741216898 CEST8.8.4.4192.168.2.40xe131No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:43:59.802645922 CEST8.8.4.4192.168.2.40x4168No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:08.761003017 CEST8.8.4.4192.168.2.40x93f6No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:24.524466991 CEST8.8.4.4192.168.2.40x9607No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:34.170095921 CEST8.8.4.4192.168.2.40x9bb7No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:44.480829954 CEST8.8.4.4192.168.2.40x2cbcNo error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:44:54.875230074 CEST8.8.4.4192.168.2.40x78a7No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:45:10.075479984 CEST8.8.4.4192.168.2.40xbd06No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)
                                                        Jun 10, 2021 16:45:35.148183107 CEST8.8.4.4192.168.2.40x2836No error (0)emedoo.ddns.net79.134.225.70A (IP address)IN (0x0001)

                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: pIjxtI0ZlU.exe PID: 5712 Parent PID: 5892

                                                        General

                                                        Start time:16:43:05
                                                        Start date:10/06/2021
                                                        Path:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\pIjxtI0ZlU.exe'
                                                        Imagebase:0xe60000
                                                        File size:872960 bytes
                                                        MD5 hash:A253962036D634B39E913BC0322584E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.663388588.00000000045E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.660754559.0000000003615000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Analysis Process: powershell.exe PID: 5868 Parent PID: 5712

                                                        General

                                                        Start time:16:43:07
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\pIjxtI0ZlU.exe'
                                                        Imagebase:0xf30000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 5792 Parent PID: 5868

                                                        General

                                                        Start time:16:43:08
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: powershell.exe PID: 4624 Parent PID: 5712

                                                        General

                                                        Start time:16:43:08
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
                                                        Imagebase:0xf30000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 64 Parent PID: 4624

                                                        General

                                                        Start time:16:43:08
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: schtasks.exe PID: 4184 Parent PID: 5712

                                                        General

                                                        Start time:16:43:08
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmp6A8A.tmp'
                                                        Imagebase:0x220000
                                                        File size:185856 bytes
                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 1900 Parent PID: 4184

                                                        General

                                                        Start time:16:43:09
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: powershell.exe PID: 2860 Parent PID: 5712

                                                        General

                                                        Start time:16:43:10
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
                                                        Imagebase:0xf30000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 4204 Parent PID: 2860

                                                        General

                                                        Start time:16:43:10
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: pIjxtI0ZlU.exe PID: 2208 Parent PID: 5712

                                                        General

                                                        Start time:16:43:10
                                                        Start date:10/06/2021
                                                        Path:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\pIjxtI0ZlU.exe
                                                        Imagebase:0xb40000
                                                        File size:872960 bytes
                                                        MD5 hash:A253962036D634B39E913BC0322584E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.949190405.0000000006E90000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.945200916.0000000005F30000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.945200916.0000000005F30000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.655614404.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000003.667634443.0000000004619000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.656249300.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.936110160.0000000003285000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.944714710.0000000005ED0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.944714710.0000000005ED0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.944949810.0000000005EF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.944949810.0000000005EF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.947720444.00000000068F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.947720444.00000000068F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.938032088.0000000004294000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.948576490.0000000006D10000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.948576490.0000000006D10000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.948873822.0000000006D40000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.948873822.0000000006D40000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.943539466.0000000005B20000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.945020551.0000000005F00000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.945020551.0000000005F00000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.947857649.0000000006910000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.947857649.0000000006910000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.949135204.0000000006E80000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.949135204.0000000006E80000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.943137206.0000000005880000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.943137206.0000000005880000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.948362673.0000000006BB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.948362673.0000000006BB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.917666929.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.947592348.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.947592348.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        Reputation:low

                                                        Analysis Process: dhcpmon.exe PID: 6304 Parent PID: 3424

                                                        General

                                                        Start time:16:43:24
                                                        Start date:10/06/2021
                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                        Imagebase:0x4f0000
                                                        File size:872960 bytes
                                                        MD5 hash:A253962036D634B39E913BC0322584E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.754193726.0000000002D46000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.770095334.0000000003D11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 40%, Metadefender, Browse
                                                        • Detection: 64%, ReversingLabs
                                                        Reputation:low

                                                        Analysis Process: powershell.exe PID: 6432 Parent PID: 6304

                                                        General

                                                        Start time:16:43:30
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                        Imagebase:0xf30000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 6440 Parent PID: 6432

                                                        General

                                                        Start time:16:43:31
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: schtasks.exe PID: 6448 Parent PID: 6304

                                                        General

                                                        Start time:16:43:31
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cKGPEGrRS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF63.tmp'
                                                        Imagebase:0x220000
                                                        File size:185856 bytes
                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 6500 Parent PID: 6448

                                                        General

                                                        Start time:16:43:32
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: powershell.exe PID: 6584 Parent PID: 6304

                                                        General

                                                        Start time:16:43:33
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\cKGPEGrRS.exe'
                                                        Imagebase:0xf30000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        Analysis Process: conhost.exe PID: 6596 Parent PID: 6584

                                                        General

                                                        Start time:16:43:34
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: dhcpmon.exe PID: 6604 Parent PID: 6304

                                                        General

                                                        Start time:16:43:34
                                                        Start date:10/06/2021
                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                        Imagebase:0x1f0000
                                                        File size:872960 bytes
                                                        MD5 hash:A253962036D634B39E913BC0322584E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: dhcpmon.exe PID: 6716 Parent PID: 6304

                                                        General

                                                        Start time:16:43:36
                                                        Start date:10/06/2021
                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                        Imagebase:0x530000
                                                        File size:872960 bytes
                                                        MD5 hash:A253962036D634B39E913BC0322584E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.714388325.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.724479012.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.774513061.0000000003CE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.751437689.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.773226669.0000000002CE1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.773226669.0000000002CE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >