Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report E9sAsVQHNI.exe

Overview

General Information

Sample Name:E9sAsVQHNI.exe
Analysis ID:507942
MD5:12897cc89f6a46e25f9d5445e9299003
SHA1:6b3d478c2895cccbf8bfd6135338e517bb20707c
SHA256:f7943cf69c4834c48a432c2a76caa9eecc80fa9fffdf5868277556c6d3fefd64
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • E9sAsVQHNI.exe (PID: 2208 cmdline: 'C:\Users\user\Desktop\E9sAsVQHNI.exe' MD5: 12897CC89F6A46E25F9D5445E9299003)
    • powershell.exe (PID: 3116 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 3512 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmp618B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • E9sAsVQHNI.exe (PID: 5916 cmdline: C:\Users\user\Desktop\E9sAsVQHNI.exe MD5: 12897CC89F6A46E25F9D5445E9299003)
  • dhcpmon.exe (PID: 4904 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 12897CC89F6A46E25F9D5445E9299003)
    • powershell.exe (PID: 6216 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 2240 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6020 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 12897CC89F6A46E25F9D5445E9299003)
    • dhcpmon.exe (PID: 5208 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 12897CC89F6A46E25F9D5445E9299003)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1047d:$x1: NanoCore.ClientPluginHost
  • 0x104ba:$x2: IClientNetworkHost
  • 0x13fed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x101e5:$a: NanoCore
    • 0x101f5:$a: NanoCore
    • 0x10429:$a: NanoCore
    • 0x1043d:$a: NanoCore
    • 0x1047d:$a: NanoCore
    • 0x10244:$b: ClientPlugin
    • 0x10446:$b: ClientPlugin
    • 0x10486:$b: ClientPlugin
    • 0x1036b:$c: ProjectData
    • 0x10d72:$d: DESCrypto
    • 0x1873e:$e: KeepAlive
    • 0x1672c:$g: LogClientMessage
    • 0x12927:$i: get_Connected
    • 0x110a8:$j: #=q
    • 0x110d8:$j: #=q
    • 0x110f4:$j: #=q
    • 0x11124:$j: #=q
    • 0x11140:$j: #=q
    • 0x1115c:$j: #=q
    • 0x1118c:$j: #=q
    • 0x111a8:$j: #=q
    00000009.00000002.948337416.00000000051E0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000009.00000002.948337416.00000000051E0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 58 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0x23c50:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    • 0x23c7d:$x2: IClientNetworkHost
    9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0x23c50:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0x24d2b:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    • 0x23c6a:$s5: IClientLoggingHost
    9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      19.2.dhcpmon.exe.38f458d.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0x23c50:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      • 0x23c7d:$x2: IClientNetworkHost
      19.2.dhcpmon.exe.38f458d.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0x23c50:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0x24d2b:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      • 0x23c6a:$s5: IClientLoggingHost
      Click to see the 96 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\E9sAsVQHNI.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\E9sAsVQHNI.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Powershell Defender ExclusionShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\E9sAsVQHNI.exe' , ParentImage: C:\Users\user\Desktop\E9sAsVQHNI.exe, ParentProcessId: 2208, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe', ProcessId: 3116
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\E9sAsVQHNI.exe' , ParentImage: C:\Users\user\Desktop\E9sAsVQHNI.exe, ParentProcessId: 2208, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe', ProcessId: 3116
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132794110213796304.3116.DefaultAppDomain.powershell

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\E9sAsVQHNI.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\E9sAsVQHNI.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: E9sAsVQHNI.exeVirustotal: Detection: 43%Perma Link
      Source: E9sAsVQHNI.exeReversingLabs: Detection: 51%
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 43%Perma Link
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 51%
      Source: C:\Users\user\AppData\Roaming\VJGIel.exeReversingLabs: Detection: 51%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38f458d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eff64.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eff64.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eff64.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eff64.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.3689078.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4713b28.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.37f3b28.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.45a9078.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.797200941.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 5916, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5208, type: MEMORYSTR
      Source: 19.0.dhcpmon.exe.400000.5.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 19.0.dhcpmon.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 19.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 19.0.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.E9sAsVQHNI.exe.53d0000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: 9.0.E9sAsVQHNI.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.E9sAsVQHNI.exe.400000.5.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.E9sAsVQHNI.exe.400000.7.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.E9sAsVQHNI.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.E9sAsVQHNI.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 19.0.dhcpmon.exe.400000.7.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: E9sAsVQHNI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: E9sAsVQHNI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: luf.ddns.net
      Source: global trafficTCP traffic: 192.168.2.4:49778 -> 105.112.126.185:8282
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: E9sAsVQHNI.exe, 00000000.00000002.722817180.00000000025B1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: E9sAsVQHNI.exe, 00000000.00000002.722817180.00000000025B1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: dhcpmon.exeString found in binary or memory: https://www.ShelteringOak.com/
      Source: dhcpmon.exeString found in binary or memory: https://www.shelteringoak.com/dl/WindowsHealthCheck/WindowsHealthCheck.exe
      Source: dhcpmon.exeString found in binary or memory: https://www.shelteringoak.com/dl/WindowsHealthCheck/version.txt
      Source: unknownDNS traffic detected: queries for: luf.ddns.net
      Source: dhcpmon.exe, 0000000D.00000002.774908817.00000000017C8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: E9sAsVQHNI.exe, 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38f458d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eff64.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eff64.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eff64.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eff64.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.3689078.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4713b28.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.37f3b28.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.45a9078.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.797200941.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 5916, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5208, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.dhcpmon.exe.38f458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.E9sAsVQHNI.exe.39eff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.dhcpmon.exe.38eff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.E9sAsVQHNI.exe.53d0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.dhcpmon.exe.2909658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.E9sAsVQHNI.exe.53d4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.E9sAsVQHNI.exe.53d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.E9sAsVQHNI.exe.39eff64.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.dhcpmon.exe.38eff64.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.E9sAsVQHNI.exe.51e0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.E9sAsVQHNI.exe.3689078.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.E9sAsVQHNI.exe.3689078.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.4713b28.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.4713b28.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.45a9078.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.45a9078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.948337416.00000000051E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.797200941.00000000038A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: E9sAsVQHNI.exe PID: 5916, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: E9sAsVQHNI.exe PID: 5916, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 5208, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 5208, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: E9sAsVQHNI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.dhcpmon.exe.38f458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.dhcpmon.exe.38f458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.E9sAsVQHNI.exe.39eff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.39eff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.dhcpmon.exe.38eff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.dhcpmon.exe.38eff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.E9sAsVQHNI.exe.53d0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.53d0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.dhcpmon.exe.2909658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.dhcpmon.exe.2909658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.E9sAsVQHNI.exe.53d4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.53d4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.E9sAsVQHNI.exe.53d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.53d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.E9sAsVQHNI.exe.39eff64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.39eff64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.dhcpmon.exe.38eff64.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.dhcpmon.exe.38eff64.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.E9sAsVQHNI.exe.51e0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.51e0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.E9sAsVQHNI.exe.3689078.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.E9sAsVQHNI.exe.3689078.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.4713b28.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.4713b28.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.E9sAsVQHNI.exe.37f3b28.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.45a9078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.45a9078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.948337416.00000000051E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.948337416.00000000051E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.797200941.00000000038A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: E9sAsVQHNI.exe PID: 5916, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: E9sAsVQHNI.exe PID: 5916, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 5208, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 5208, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_04B781A0
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_04B7B2BB
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_04B76D68
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_04B76D57
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_04B7EAE0
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_07575FC0
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_07575FB2
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_07570040
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_0757001E
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_00112086
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_00E8E480
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_00E8E471
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_00E8BBD4
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_04E9F5F8
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_04E99788
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_04E9A5D0
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_04E9A610
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_00512086
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_01A5C77C
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_01A5EB20
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_01A5EB30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_059A81A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_059A91E8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_059A6D57
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_059A6D68
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_059AEAD0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_059AEAE0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_08075FC0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_08070006
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_08070040
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_08075FB2
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00F92086
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_04DAE480
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_04DAE471
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_04DABBD4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_004D2086
      Source: E9sAsVQHNI.exeBinary or memory string: OriginalFilename vs E9sAsVQHNI.exe
      Source: E9sAsVQHNI.exe, 00000000.00000003.718267316.0000000006C05000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameIContributeEnvoySi.exeJ vs E9sAsVQHNI.exe
      Source: E9sAsVQHNI.exeBinary or memory string: OriginalFilename vs E9sAsVQHNI.exe
      Source: E9sAsVQHNI.exe, 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs E9sAsVQHNI.exe
      Source: E9sAsVQHNI.exe, 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs E9sAsVQHNI.exe
      Source: E9sAsVQHNI.exe, 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs E9sAsVQHNI.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
      Source: E9sAsVQHNI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: VJGIel.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: E9sAsVQHNI.exeVirustotal: Detection: 43%
      Source: E9sAsVQHNI.exeReversingLabs: Detection: 51%
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile read: C:\Users\user\Desktop\E9sAsVQHNI.exeJump to behavior
      Source: E9sAsVQHNI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\E9sAsVQHNI.exe 'C:\Users\user\Desktop\E9sAsVQHNI.exe'
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmp618B.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Users\user\Desktop\E9sAsVQHNI.exe C:\Users\user\Desktop\E9sAsVQHNI.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe'
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmp618B.tmp'
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Users\user\Desktop\E9sAsVQHNI.exe C:\Users\user\Desktop\E9sAsVQHNI.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile created: C:\Users\user\AppData\Roaming\VJGIel.exeJump to behavior
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile created: C:\Users\user\AppData\Local\Temp\tmp618B.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/17@6/2
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: E9sAsVQHNI.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_01
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\cAaQfHfqafvr
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_01
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{086e57af-7b22-4ec3-b93e-b3b9bd99d4ca}
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: E9sAsVQHNI.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: E9sAsVQHNI.exeStatic file information: File size 1090560 > 1048576
      Source: E9sAsVQHNI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: E9sAsVQHNI.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x109800
      Source: E9sAsVQHNI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: E9sAsVQHNI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_0011868C push es; retn 0000h
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 0_2_07574CB0 push ebp; iretd
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeCode function: 9_2_0051868C push es; retn 0000h
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00F9868C push es; retn 0000h
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_08074CB0 push ebp; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0014868C push es; retn 0000h
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_004D868C push es; retn 0000h
      Source: E9sAsVQHNI.exeStatic PE information: 0xFF629EA8 [Sat Oct 10 21:27:04 2105 UTC]
      Source: initial sampleStatic PE information: section name: .text entropy: 7.94856442088
      Source: initial sampleStatic PE information: section name: .text entropy: 7.94856442088
      Source: initial sampleStatic PE information: section name: .text entropy: 7.94856442088
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile created: C:\Users\user\AppData\Roaming\VJGIel.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmp618B.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeFile opened: C:\Users\user\Desktop\E9sAsVQHNI.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34f22b8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.25d227c.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.722817180.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: E9sAsVQHNI.exe, 00000000.00000002.722817180.00000000025B1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: E9sAsVQHNI.exe, 00000000.00000002.722817180.00000000025B1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exe TID: 1316Thread sleep time: -33949s >= -30000s
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exe TID: 5928Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5260Thread sleep time: -4611686018427385s >= -30000s
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exe TID: 6848Thread sleep time: -14757395258967632s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6676Thread sleep time: -46598s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3124Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep time: -3689348814741908s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2016Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6126
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2660
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeWindow / User API: threadDelayed 7245
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeWindow / User API: threadDelayed 2269
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeWindow / User API: foregroundWindowGot 743
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5257
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3188
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeThread delayed: delay time: 33949
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 46598
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
      Source: dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: E9sAsVQHNI.exe, 00000009.00000002.945101682.0000000000D4C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess token adjusted: Debug
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeMemory written: C:\Users\user\Desktop\E9sAsVQHNI.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Adds a directory exclusion to Windows DefenderShow sources
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe'
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmp618B.tmp'
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeProcess created: C:\Users\user\Desktop\E9sAsVQHNI.exe C:\Users\user\Desktop\E9sAsVQHNI.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: E9sAsVQHNI.exe, 00000009.00000002.948798433.0000000005F1C000.00000004.00000010.sdmpBinary or memory string: Program Manager
      Source: E9sAsVQHNI.exe, 00000009.00000002.946016871.0000000001430000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: E9sAsVQHNI.exe, 00000009.00000002.946016871.0000000001430000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: E9sAsVQHNI.exe, 00000009.00000002.946016871.0000000001430000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Users\user\Desktop\E9sAsVQHNI.exe VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Users\user\Desktop\E9sAsVQHNI.exe VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\E9sAsVQHNI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38f458d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eff64.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eff64.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eff64.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eff64.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.3689078.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4713b28.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.37f3b28.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.45a9078.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.797200941.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 5916, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5208, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: E9sAsVQHNI.exe, 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: E9sAsVQHNI.exe, 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: E9sAsVQHNI.exe, 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39f458d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38f458d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eb12e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eff64.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eff64.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.53d0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.39eff64.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eff64.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4713b28.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.E9sAsVQHNI.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.dhcpmon.exe.38eb12e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.0.dhcpmon.exe.400000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.37f3b28.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.E9sAsVQHNI.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.3689078.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4713b28.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.E9sAsVQHNI.exe.37f3b28.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.45a9078.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.797200941.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 2208, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: E9sAsVQHNI.exe PID: 5916, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4904, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5208, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture21Query Registry1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobDLL Side-Loading1Scheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 507942 Sample: E9sAsVQHNI.exe Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 51 luf.ddns.net 2->51 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 8 other signatures 2->65 8 E9sAsVQHNI.exe 7 2->8         started        12 dhcpmon.exe 5 2->12         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\VJGIel.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmp618B.tmp, XML 8->41 dropped 43 C:\Users\user\AppData\...9sAsVQHNI.exe.log, ASCII 8->43 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 8->67 69 Adds a directory exclusion to Windows Defender 8->69 71 Injects a PE file into a foreign processes 8->71 14 E9sAsVQHNI.exe 1 9 8->14         started        19 powershell.exe 25 8->19         started        21 schtasks.exe 1 8->21         started        23 powershell.exe 12->23         started        25 schtasks.exe 12->25         started        27 dhcpmon.exe 12->27         started        29 dhcpmon.exe 12->29         started        signatures6 process7 dnsIp8 53 luf.ddns.net 105.112.126.185, 8282 VNL1-ASNG Nigeria 14->53 55 127.0.0.1 unknown unknown 14->55 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->45 dropped 47 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->47 dropped 49 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 14->49 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->57 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      E9sAsVQHNI.exe43%VirustotalBrowse
      E9sAsVQHNI.exe51%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe43%VirustotalBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe51%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      C:\Users\user\AppData\Roaming\VJGIel.exe51%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      19.0.dhcpmon.exe.400000.5.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      19.0.dhcpmon.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      19.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      19.0.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.E9sAsVQHNI.exe.53d0000.9.unpack100%AviraTR/NanoCore.fadteDownload File
      9.0.E9sAsVQHNI.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.E9sAsVQHNI.exe.400000.5.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.E9sAsVQHNI.exe.400000.7.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.E9sAsVQHNI.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.E9sAsVQHNI.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      19.0.dhcpmon.exe.400000.7.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      https://www.ShelteringOak.com/0%VirustotalBrowse
      https://www.ShelteringOak.com/0%Avira URL Cloudsafe
      http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      https://www.shelteringoak.com/dl/WindowsHealthCheck/version.txt0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      https://www.shelteringoak.com/dl/WindowsHealthCheck/WindowsHealthCheck.exe2%VirustotalBrowse
      https://www.shelteringoak.com/dl/WindowsHealthCheck/WindowsHealthCheck.exe0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      luf.ddns.net
      		105.112.126.185
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
          		high
          http://www.fontbureau.comE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.tiro.comE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.ShelteringOak.com/dhcpmon.exefalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.collada.org/2005/11/COLLADASchema9DoneE9sAsVQHNI.exe, 00000000.00000002.722817180.00000000025B1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cTheE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.htmlE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                        		high
                        https://www.shelteringoak.com/dl/WindowsHealthCheck/version.txtdhcpmon.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.shelteringoak.com/dl/WindowsHealthCheck/WindowsHealthCheck.exedhcpmon.exefalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8E9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fonts.comE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameE9sAsVQHNI.exe, 00000000.00000002.722817180.00000000025B1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sakkal.comE9sAsVQHNI.exe, 00000000.00000002.729274904.00000000065D2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              105.112.126.185
                              		luf.ddns.netNigeria
                              		36873VNL1-ASNGfalse

                              Private

                              IP
                              127.0.0.1

                              General Information

                              Joe Sandbox Version:33.0.0 White Diamond
                              Analysis ID:507942
                              Start date:22.10.2021
                              Start time:23:15:46
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 13m 55s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:E9sAsVQHNI.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:28
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@20/17@6/2
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 0.3% (good quality ratio 0.3%)
                              • Quality average: 71.5%
                              • Quality standard deviation: 31.9%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 173.222.108.226, 173.222.108.210, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235
                              • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              23:16:56API Interceptor871x Sleep call for process: E9sAsVQHNI.exe modified
                              23:17:03API Interceptor69x Sleep call for process: powershell.exe modified
                              23:17:16AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              23:17:28API Interceptor1x Sleep call for process: dhcpmon.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Process:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1090560
                              Entropy (8bit):7.943530607154984
                              Encrypted:false
                              SSDEEP:24576:jWFOB6AlAlKal/zPsKuLubbXwUv8hzZhg3+TE/+PnyuXzhU:zB6Y1O3yAwUkhzXgOTaYnyq
                              MD5:12897CC89F6A46E25F9D5445E9299003
                              SHA1:6B3D478C2895CCCBF8BFD6135338E517BB20707C
                              SHA-256:F7943CF69C4834C48A432C2A76CAA9EECC80FA9FFFDF5868277556C6D3FEFD64
                              SHA-512:0BAA5D19AE88A4BAB3D512717E0EA27D6D3EDCD4EA67712E90C0D5B0013E3FE6315E138514FC4BB39F07AF27E58D669CA87EA7126EDF43990A44FAFA1D64514F
                              Malicious:true
                              Antivirus:
                              • Antivirus: Virustotal, Detection: 43%, Browse
                              • Antivirus: ReversingLabs, Detection: 51%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...............0.............j.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................L.......H..........(............P...f...........................................0...........(......a...%.(....o....o.....%.r...p.%...%.r...p.%...(....o........(.....s........+....o.....o........X..j.o........-..o.........,..o .........,..o .....*.......P.1.........A.N.......".(!....*....0..............a...%.r...p.%.r...p.%.r...p.%.r...p.%.r#..p.%.r)..p.%.r/..p.%.r5..p.%.r;..p...l...+...l#.......@[....X... ....j[.....i/.. ....j.....+....-.rA..p..f......(".....+...*....0..............
                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:unknown
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E9sAsVQHNI.exe.log
                              Process:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1216
                              Entropy (8bit):5.355304211458859
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                              Malicious:true
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.355304211458859
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unknown
                              Category:dropped
                              Size (bytes):19660
                              Entropy (8bit):5.577451911565371
                              Encrypted:false
                              SSDEEP:384:otADl+29nOzxRgSBKn+jul+OzoIptQ99V6NcgWM1M0Y0UP7zg:14K+ClncAKZINCp0AQ
                              MD5:D09040BC52EF8F09555002BFD1A1F03E
                              SHA1:F856C6282D9B6399F13523DC375A4AF607ED10E4
                              SHA-256:FFA9712069B07F92A21ADC35EAD3288CD89B477CBA80AD3D6EF245AACA58AC81
                              SHA-512:00177B912F44E3555A2FE5701EA198005FD0CEFE4A2A27F6A11A8ADFE0DE875544D9B53742A42319ACBC8EDA6A6DC1C39DAD99382AD187BA28EF713A2ABC344F
                              Malicious:false
                              Reputation:unknown
                              Preview: @...e...............................P.....u..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bk5dfwdf.cpj.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnn0tieb.2xx.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unknown
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ntlvqwb3.ijv.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unknown
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p122nr1e.bs4.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\tmp618B.tmp
                              Process:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1639
                              Entropy (8bit):5.1785032698281706
                              Encrypted:false
                              SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG1Btn:cbhK79lNQR/rydbz9I3YODOLNdq3S
                              MD5:BAE07B8CB1F096A008E6F17AE20D6F7C
                              SHA1:36C4C52F1DFDDEEAFDF117E728FCE37967A8FB48
                              SHA-256:94830B7C7431D80B708060FC34DCCE160B0CD76338863EC1BF153FAE8F231E44
                              SHA-512:2C19F035C9C2A6A7AE8E62FB15145DF5297938CF82A92698A541186E3E9DD534310BE15B111AAB3E5550FA1B95E552685C5F59C5DC7B15521C46715D8EAFA7A6
                              Malicious:true
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                              C:\Users\user\AppData\Local\Temp\tmpD9.tmp
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1639
                              Entropy (8bit):5.1785032698281706
                              Encrypted:false
                              SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG1Btn:cbhK79lNQR/rydbz9I3YODOLNdq3S
                              MD5:BAE07B8CB1F096A008E6F17AE20D6F7C
                              SHA1:36C4C52F1DFDDEEAFDF117E728FCE37967A8FB48
                              SHA-256:94830B7C7431D80B708060FC34DCCE160B0CD76338863EC1BF153FAE8F231E44
                              SHA-512:2C19F035C9C2A6A7AE8E62FB15145DF5297938CF82A92698A541186E3E9DD534310BE15B111AAB3E5550FA1B95E552685C5F59C5DC7B15521C46715D8EAFA7A6
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                              Process:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              File Type:Non-ISO extended-ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:ju:y
                              MD5:43CD6519880F95FCCA3B20D6F4161D97
                              SHA1:9F259235B265DF2D6388BBDCE9ED89CC19741416
                              SHA-256:C422AE2E7CCF6618CDC2107884B9AE4B7018EC0798C0928D927E09CDD516F72B
                              SHA-512:3C1F335B7336EE42A80B9C8A60CE148AB7A8D2E8639654DAF7222A3F3CC30E13C3C946A5741C67AF70EEA40759AE7A2D67117481890391CD04EFC87F1D9E5B7C
                              Malicious:true
                              Reputation:unknown
                              Preview: ..O...H
                              C:\Users\user\AppData\Roaming\VJGIel.exe
                              Process:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1090560
                              Entropy (8bit):7.943530607154984
                              Encrypted:false
                              SSDEEP:24576:jWFOB6AlAlKal/zPsKuLubbXwUv8hzZhg3+TE/+PnyuXzhU:zB6Y1O3yAwUkhzXgOTaYnyq
                              MD5:12897CC89F6A46E25F9D5445E9299003
                              SHA1:6B3D478C2895CCCBF8BFD6135338E517BB20707C
                              SHA-256:F7943CF69C4834C48A432C2A76CAA9EECC80FA9FFFDF5868277556C6D3FEFD64
                              SHA-512:0BAA5D19AE88A4BAB3D512717E0EA27D6D3EDCD4EA67712E90C0D5B0013E3FE6315E138514FC4BB39F07AF27E58D669CA87EA7126EDF43990A44FAFA1D64514F
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 51%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...............0.............j.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................L.......H..........(............P...f...........................................0...........(......a...%.(....o....o.....%.r...p.%...%.r...p.%...(....o........(.....s........+....o.....o........X..j.o........-..o.........,..o .........,..o .....*.......P.1.........A.N.......".(!....*....0..............a...%.r...p.%.r...p.%.r...p.%.r...p.%.r#..p.%.r)..p.%.r/..p.%.r5..p.%.r;..p...l...+...l#.......@[....X... ....j[.....i/.. ....j.....+....-.rA..p..f......(".....+...*....0..............
                              C:\Users\user\AppData\Roaming\VJGIel.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:false
                              Reputation:unknown
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\Documents\20211022\PowerShell_transcript.609290.IkzwAfpe.20211022231731.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unknown
                              Category:dropped
                              Size (bytes):3691
                              Entropy (8bit):5.22421762739372
                              Encrypted:false
                              SSDEEP:96:BZAjON0qDo1ZnZVjON0qDo1ZNVlzvOzGMzGMzwVZf:WvvyGgGgwn
                              MD5:2155BD71FAB2F277F641A0725A5DA39E
                              SHA1:518F35F4405C1605CEB10F59F3A4E9C4A1B914A2
                              SHA-256:D1642701A21FC7E52A23F7A1A60B218ED548A93133EC5199B086F005D576D29B
                              SHA-512:3221FA9F18DA7ACA6D2AEFC98B809174E3C50B122A38B881BAA742AF5DD4E647DBFB4317392BC40F84CFB007AFA32F1306249824864A207F9D29B0B45AC8FE56
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20211022231732..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 609290 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..Process ID: 6216..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211022231732..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..**********************..Windows PowerShell transcript start..Start time: 20211022232251..Username: computer\user..RunAs User: computer\
                              C:\Users\user\Documents\20211022\PowerShell_transcript.609290.eNdXD_qN.20211022231702.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5733
                              Entropy (8bit):5.397343890660485
                              Encrypted:false
                              SSDEEP:96:BZojONvGqDo1ZuYZCjONvGqDo1Zy7818j8jZ5jONvGqDo1ZPm8T8T8nZI:Fz0fq2F9IIT
                              MD5:9F2C2F26B623E1B9FB378EF66A406AC9
                              SHA1:9444CD15E72D3AC4217B45BE67A896D582DBD1B5
                              SHA-256:2E8C54EA155C0B31FDA11154564CB7FC835076D8E2CA446D818063ED1E57B83F
                              SHA-512:71DC246B93B7233F2F500B40F94F2228AA2C2297A2194DABDE6F07CEAAEAE3DF8C38518AE308E32DBCA155657CA2B4162A4D8A2D4A36F53F3DE597EC1F8C22E2
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20211022231703..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 609290 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\E9sAsVQHNI.exe..Process ID: 3116..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211022231703..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\E9sAsVQHNI.exe..**********************..Windows PowerShell transcript start..Start time: 20211022232025..Username: computer\user..RunAs User: computer\user..Configuration

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.943530607154984
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:E9sAsVQHNI.exe
                              File size:1090560
                              MD5:12897cc89f6a46e25f9d5445e9299003
                              SHA1:6b3d478c2895cccbf8bfd6135338e517bb20707c
                              SHA256:f7943cf69c4834c48a432c2a76caa9eecc80fa9fffdf5868277556c6d3fefd64
                              SHA512:0baa5d19ae88a4bab3d512717e0ea27d6d3edcd4ea67712e90c0d5b0013e3fe6315e138514fc4bb39f07af27e58d669ca87ea7126edf43990a44fafa1d64514f
                              SSDEEP:24576:jWFOB6AlAlKal/zPsKuLubbXwUv8hzZhg3+TE/+PnyuXzhU:zB6Y1O3yAwUkhzXgOTaYnyq
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...............0.............j.... ........@.. ....................................@................................

                              File Icon

                              Icon Hash:00828e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x50b76a
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0xFF629EA8 [Sat Oct 10 21:27:04 2105 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x10b7180x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x6c4.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x10b6fc0x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x1097700x109800False0.953898341867data7.94856442088IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0x10c0000x6c40x800False0.36962890625data3.72331433617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x10e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_VERSION0x10c0900x432data
                              RT_MANIFEST0x10c4d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightCopyright 2019 - 2021
                              Assembly Version2.22.619.1
                              InternalNameIContributeEnvoySi.exe
                              FileVersion2.22.619.1
                              CompanyNameCharlie Dobson
                              LegalTrademarks
                              CommentsPerforms various tasks to refresh the overall health of Windows
                              ProductNameWindows Health Check
                              ProductVersion2.22.619.1
                              FileDescriptionWindows Health Check
                              OriginalFilenameIContributeEnvoySi.exe

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 22, 2021 23:17:13.975605011 CEST497788282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:17:16.983902931 CEST497788282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:17:22.985073090 CEST497788282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:17:33.163933992 CEST497828282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:17:36.205192089 CEST497828282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:17:42.204787970 CEST497828282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:17:51.356966972 CEST497838282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:17:54.487104893 CEST497838282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:18:00.503226995 CEST497838282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:18:25.273998976 CEST498558282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:18:28.286909103 CEST498558282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:18:34.287509918 CEST498558282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:18:42.128367901 CEST498608282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:18:45.132148027 CEST498608282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:18:51.132472038 CEST498608282192.168.2.4105.112.126.185
                              Oct 22, 2021 23:18:58.725038052 CEST498618282192.168.2.4105.112.126.185

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 22, 2021 23:17:13.923624992 CEST4971453192.168.2.437.235.1.174
                              Oct 22, 2021 23:17:13.965949059 CEST534971437.235.1.174192.168.2.4
                              Oct 22, 2021 23:17:33.120450974 CEST4925753192.168.2.437.235.1.174
                              Oct 22, 2021 23:17:33.162286043 CEST534925737.235.1.174192.168.2.4
                              Oct 22, 2021 23:17:51.312005997 CEST6238953192.168.2.437.235.1.174
                              Oct 22, 2021 23:17:51.353658915 CEST536238937.235.1.174192.168.2.4
                              Oct 22, 2021 23:18:25.229526997 CEST6407853192.168.2.437.235.1.174
                              Oct 22, 2021 23:18:25.271047115 CEST536407837.235.1.174192.168.2.4
                              Oct 22, 2021 23:18:42.074781895 CEST5125553192.168.2.437.235.1.174
                              Oct 22, 2021 23:18:42.126657009 CEST535125537.235.1.174192.168.2.4
                              Oct 22, 2021 23:18:58.681713104 CEST6152253192.168.2.437.235.1.174
                              Oct 22, 2021 23:18:58.724258900 CEST536152237.235.1.174192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Oct 22, 2021 23:17:13.923624992 CEST192.168.2.437.235.1.1740xc417Standard query (0)luf.ddns.netA (IP address)IN (0x0001)
                              Oct 22, 2021 23:17:33.120450974 CEST192.168.2.437.235.1.1740x4cabStandard query (0)luf.ddns.netA (IP address)IN (0x0001)
                              Oct 22, 2021 23:17:51.312005997 CEST192.168.2.437.235.1.1740x9eeStandard query (0)luf.ddns.netA (IP address)IN (0x0001)
                              Oct 22, 2021 23:18:25.229526997 CEST192.168.2.437.235.1.1740xdb0cStandard query (0)luf.ddns.netA (IP address)IN (0x0001)
                              Oct 22, 2021 23:18:42.074781895 CEST192.168.2.437.235.1.1740xd609Standard query (0)luf.ddns.netA (IP address)IN (0x0001)
                              Oct 22, 2021 23:18:58.681713104 CEST192.168.2.437.235.1.1740xce97Standard query (0)luf.ddns.netA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Oct 22, 2021 23:17:13.965949059 CEST37.235.1.174192.168.2.40xc417No error (0)luf.ddns.net105.112.126.185A (IP address)IN (0x0001)
                              Oct 22, 2021 23:17:33.162286043 CEST37.235.1.174192.168.2.40x4cabNo error (0)luf.ddns.net105.112.126.185A (IP address)IN (0x0001)
                              Oct 22, 2021 23:17:51.353658915 CEST37.235.1.174192.168.2.40x9eeNo error (0)luf.ddns.net105.112.126.185A (IP address)IN (0x0001)
                              Oct 22, 2021 23:18:25.271047115 CEST37.235.1.174192.168.2.40xdb0cNo error (0)luf.ddns.net105.112.126.185A (IP address)IN (0x0001)
                              Oct 22, 2021 23:18:42.126657009 CEST37.235.1.174192.168.2.40xd609No error (0)luf.ddns.net105.112.126.185A (IP address)IN (0x0001)
                              Oct 22, 2021 23:18:58.724258900 CEST37.235.1.174192.168.2.40xce97No error (0)luf.ddns.net105.112.126.185A (IP address)IN (0x0001)

                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: E9sAsVQHNI.exe PID: 2208 Parent PID: 3484

                              General

                              Start time:23:16:49
                              Start date:22/10/2021
                              Path:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\E9sAsVQHNI.exe'
                              Imagebase:0x110000
                              File size:1090560 bytes
                              MD5 hash:12897CC89F6A46E25F9D5445E9299003
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.726746792.0000000003A24000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.722817180.00000000025B1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.724435556.00000000035B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: powershell.exe PID: 3116 Parent PID: 2208

                              General

                              Start time:23:17:01
                              Start date:22/10/2021
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\E9sAsVQHNI.exe'
                              Imagebase:0x1180000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Analysis Process: conhost.exe PID: 1368 Parent PID: 3116

                              General

                              Start time:23:17:01
                              Start date:22/10/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: schtasks.exe PID: 3512 Parent PID: 2208

                              General

                              Start time:23:17:02
                              Start date:22/10/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmp618B.tmp'
                              Imagebase:0x8e0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 5876 Parent PID: 3512

                              General

                              Start time:23:17:03
                              Start date:22/10/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: E9sAsVQHNI.exe PID: 5916 Parent PID: 2208

                              General

                              Start time:23:17:03
                              Start date:22/10/2021
                              Path:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\E9sAsVQHNI.exe
                              Imagebase:0x510000
                              File size:1090560 bytes
                              MD5 hash:12897CC89F6A46E25F9D5445E9299003
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.948337416.00000000051E0000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.948337416.00000000051E0000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.716563336.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.947543722.00000000039E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.948515528.00000000053D0000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.944512667.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.715559984.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.715990081.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: dhcpmon.exe PID: 4904 Parent PID: 3424

                              General

                              Start time:23:17:24
                              Start date:22/10/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                              Imagebase:0xf90000
                              File size:1090560 bytes
                              MD5 hash:12897CC89F6A46E25F9D5445E9299003
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.780712036.0000000004944000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.779038136.00000000044D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.776167678.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 43%, Virustotal, Browse
                              • Detection: 51%, ReversingLabs
                              Reputation:low

                              Analysis Process: powershell.exe PID: 6216 Parent PID: 4904

                              General

                              Start time:23:17:30
                              Start date:22/10/2021
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                              Imagebase:0x1180000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6384 Parent PID: 6216

                              General

                              Start time:23:17:30
                              Start date:22/10/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: schtasks.exe PID: 2240 Parent PID: 4904

                              General

                              Start time:23:17:30
                              Start date:22/10/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VJGIel' /XML 'C:\Users\user\AppData\Local\Temp\tmpD9.tmp'
                              Imagebase:0x8e0000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6032 Parent PID: 2240

                              General

                              Start time:23:17:31
                              Start date:22/10/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff724c50000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: dhcpmon.exe PID: 6020 Parent PID: 4904

                              General

                              Start time:23:17:31
                              Start date:22/10/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Imagebase:0x140000
                              File size:1090560 bytes
                              MD5 hash:12897CC89F6A46E25F9D5445E9299003
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Analysis Process: dhcpmon.exe PID: 5208 Parent PID: 4904

                              General

                              Start time:23:17:32
                              Start date:22/10/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Imagebase:0x4d0000
                              File size:1090560 bytes
                              MD5 hash:12897CC89F6A46E25F9D5445E9299003
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.770688814.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.771993806.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.770077209.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.797200941.00000000038A9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.797200941.00000000038A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.792430541.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.797105427.00000000028A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                              Disassembly

                              Code Analysis

                              Reset < >