Loading ...

Play interactive tourEdit tour

Windows Analysis Report PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe

Overview

General Information

Sample Name:PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
Analysis ID:526551
MD5:7ba9068de522fcef76dd98dc7e1d6f4e
SHA1:9a7b48eb45986398308b356851638545189070b4
SHA256:3a247872a0d5d1686d14a0fcde7143a0f501a3520abd05dc261dbb4373de29fb
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe" MD5: 7BA9068DE522FCEF76DD98DC7E1D6F4E)
    • powershell.exe (PID: 7164 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1364 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6348 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 7040 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 7BA9068DE522FCEF76DD98DC7E1D6F4E)
    • powershell.exe (PID: 7116 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4876 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5912 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmpA8E1.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 4596 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 7BA9068DE522FCEF76DD98DC7E1D6F4E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7bac51af-6e1b-49a6-b8e9-5df85863", "Group": "Ziba", "Domain1": "james12.ddns.net", "Domain2": "", "Port": 6327, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "james12.ddns.net", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 59 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0x18dbe:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      • 0x18de8:$x2: IClientNetworkHost
      10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0x18dbe:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0x1ac6e:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        14.2.dhcpmon.exe.43995b0.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        14.2.dhcpmon.exe.43995b0.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        Click to see the 110 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ProcessId: 2800, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ProcessId: 2800, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicius Add Task From User AppData TempShow sources
        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe" , ParentImage: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ParentProcessId: 6904, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp, ProcessId: 6348
        Sigma detected: Powershell Defender ExclusionShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe" , ParentImage: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ParentProcessId: 6904, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ProcessId: 7164
        Sigma detected: Non Interactive PowerShellShow sources
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe" , ParentImage: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ParentProcessId: 6904, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ProcessId: 7164
        Sigma detected: T1086 PowerShell ExecutionShow sources
        Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132820764336986159.7164.DefaultAppDomain.powershell

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ProcessId: 2800, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, ProcessId: 2800, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7bac51af-6e1b-49a6-b8e9-5df85863", "Group": "Ziba", "Domain1": "james12.ddns.net", "Domain2": "", "Port": 6327, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 50, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "james12.ddns.net", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeVirustotal: Detection: 26%Perma Link
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeReversingLabs: Detection: 28%
        Multi AV Scanner detection for domain / URLShow sources
        Source: james12.ddns.netVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\AppData\Roaming\rEyeIgLUX.exeReversingLabs: Detection: 28%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dde41c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dde41c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3de2a45.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e47c1.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43db362.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.755956371.00000000043A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.790326430.0000000003D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 2800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4596, type: MEMORYSTR
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 21.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 21.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 21.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 21.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 21.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 21.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 4x nop then jmp 055ACE17h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 02F0C6C7h

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49749 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49753 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49756 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49800 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49801 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49803 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49805 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49814 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49833 -> 194.5.98.48:6327
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49834 -> 194.5.98.48:6327
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: james12.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: james12.ddns.net
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: Joe Sandbox ViewIP Address: 194.5.98.48 194.5.98.48
        Source: global trafficTCP traffic: 192.168.2.4:49749 -> 194.5.98.48:6327
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com6
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com?-e
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678190939.000000000585E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC;
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgy
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678289086.000000000585E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comter
        Source: dhcpmon.exe, 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://www.chinhdo.com
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmp, PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmp, PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.680419162.0000000005858000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.681513299.0000000005855000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers)
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.680353179.0000000005858000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.681008377.0000000005855000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html/)
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.680729857.0000000005855000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersN
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.681889122.0000000005855000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersV
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682041422.0000000005855000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717454894.0000000005820000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsFSL
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676311116.000000000583B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcoo
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmp, PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677720141.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677869895.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/gHAV9-
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677706047.000000000585D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnJ-9
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677706047.000000000585D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-/
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677706047.000000000585D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-n
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.684013701.000000000582D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676187914.000000000583B000.00000004.00000001.sdmp, PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676187914.000000000583B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com6
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677236226.0000000005829000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr201
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677236226.0000000005829000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krimale
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676719792.000000000583B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com8o
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676697952.000000000583B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comLo
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676752950.000000000583B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comyo
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deBU
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: james12.ddns.net
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.715493482.000000000143B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dde41c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dde41c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3de2a45.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e47c1.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43db362.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.755956371.00000000043A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.790326430.0000000003D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 2800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4596, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43bdd24.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43bdd24.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.2db3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.3dde41c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.3dde41c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.3de2a45.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e47c1.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43db362.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.790326430.0000000003D91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 2800, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 2800, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4596, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4596, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: initial sampleStatic PE information: Filename: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43bdd24.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43bdd24.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43bdd24.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43bdd24.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.2db3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.2db3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.3dde41c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.3dde41c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.3dde41c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.3dde41c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.3de2a45.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.3de2a45.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e47c1.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43db362.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.790326430.0000000003D91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 2800, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 2800, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4596, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4596, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_00D66F2F
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_013F6A34
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_055A4450
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_055A37C8
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_055A37B9
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_055A3A10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00B16F2F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F03A10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F037C8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F037B9
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02F04450
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_005D6F2F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00C12477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_028D2FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_028D23A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_028D306F
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: String function: 0640085F appears 196 times
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: String function: 064017FF appears 196 times
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: String function: 06401417 appears 196 times
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: String function: 0640008F appears 196 times
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: String function: 0640102F appears 196 times
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: String function: 064077C7 appears 35 times
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: String function: 06400C47 appears 196 times
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_06AB134E NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_06AB1314 NtQuerySystemInformation,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_06D8134E NtQuerySystemInformation,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_06D81314 NtQuerySystemInformation,
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.719541592.0000000007500000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.715235342.0000000000DE4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIBindableIterat.exeL vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.715493482.000000000143B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717026571.0000000004772000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000000.703698490.00000000008D4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIBindableIterat.exeL vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeBinary or memory string: OriginalFilenameIBindableIterat.exeL vs PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: rEyeIgLUX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.10.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeVirustotal: Detection: 26%
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile read: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeJump to behavior
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe"
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmpA8E1.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmpA8E1.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_06AB127E AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_06AB1247 AdjustTokenPrivileges,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_06D8127E AdjustTokenPrivileges,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_06D81247 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile created: C:\Users\user\AppData\Roaming\rEyeIgLUX.exeJump to behavior
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp467D.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@24/25@17/2
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3296:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\ayphGwuXmlCSZgZkFojTOP
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5540:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7bac51af-6e1b-49a6-b8e9-5df858630b31}
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile created: C:\Program Files (x86)\DHCP Monitor
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_013F88B4 push eax; ret
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_013F8968 push ebp; ret
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeCode function: 0_2_013F88C8 push ecx; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.71310269817
        Source: initial sampleStatic PE information: section name: .text entropy: 7.71310269817
        Source: initial sampleStatic PE information: section name: .text entropy: 7.71310269817
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile created: C:\Users\user\AppData\Roaming\rEyeIgLUX.exeJump to dropped file
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeFile opened: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.35b3478.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3293458.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.775731201.0000000003406000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.715793394.00000000035A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.716174408.0000000003729000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.715793394.00000000035A1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.715793394.00000000035A1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe TID: 6908Thread sleep time: -37259s >= -30000s
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe TID: 6932Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3436Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6380Thread sleep count: 4323 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5032Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6380Thread sleep count: 262 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5984Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe TID: 5616Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe TID: 5616Thread sleep count: 173 > 30
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe TID: 5616Thread sleep count: 216 > 30
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe TID: 5640Thread sleep count: 51 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7044Thread sleep time: -35135s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7020Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6052Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6332Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3206
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4323
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWindow / User API: foregroundWindowGot 738
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWindow / User API: foregroundWindowGot 609
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7022
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 920
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6135
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeThread delayed: delay time: 37259
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 35135
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
        Source: dhcpmon.exe, 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.715547027.00000000014A9000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}KG
        Source: dhcpmon.exe, 0000000E.00000002.774996470.00000000012B4000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.790303511.0000000001058000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: dhcpmon.exe, 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeMemory written: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Adds a directory exclusion to Windows DefenderShow sources
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmpA8E1.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.832386019.0000000001057000.00000004.00000001.sdmpBinary or memory string: Program ManagerH
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeBinary or memory string: Program Manager
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.779161958.0000000006401000.00000004.00000001.sdmpBinary or memory string: Program Manager5
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.790303511.0000000001058000.00000004.00000001.sdmpBinary or memory string: Program Managert$
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dde41c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dde41c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3de2a45.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e47c1.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43db362.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.755956371.00000000043A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.790326430.0000000003D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 2800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4596, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: dhcpmon.exe, 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a9b21.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43995b0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dde41c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dde41c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43cbfd0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43cbfd0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3de2a45.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3dd95e6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43a54f8.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46ec288.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.43995b0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.46b9868.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e47c1.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43e0198.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.3.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.43db362.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.755956371.00000000043A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.790326430.0000000003D91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 6904, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe PID: 2800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4596, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11Input Capture21File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery12Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information4Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Software Packing13NTDSSecurity Software Discovery221Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading2Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion31DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 526551 Sample: PURCHASE ORDER EXPORT1024MG... Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 57 james12.ddns.net 2->57 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 16 other signatures 2->71 8 PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 45 C:\Users\user\AppData\Roaming\rEyeIgLUX.exe, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmp467D.tmp, XML 8->47 dropped 49 PURCHASE ORDER EXP...NED DOC_pdf.exe.log, ASCII 8->49 dropped 73 Adds a directory exclusion to Windows Defender 8->73 75 Injects a PE file into a foreign processes 8->75 14 PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe 8->14         started        19 powershell.exe 24 8->19         started        21 powershell.exe 25 8->21         started        23 schtasks.exe 8->23         started        25 powershell.exe 12->25         started        27 powershell.exe 12->27         started        29 schtasks.exe 12->29         started        31 dhcpmon.exe 12->31         started        signatures6 process7 dnsIp8 59 james12.ddns.net 194.5.98.48, 49749, 49750, 49753 DANILENKODE Netherlands 14->59 61 192.168.2.1 unknown unknown 14->61 51 C:\Program Files (x86)\...\dhcpmon.exe, PE32 14->51 dropped 53 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 14->53 dropped 55 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 14->55 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->63 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe27%VirustotalBrowse
        PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe29%ReversingLabsWin32.Trojan.AgentTesla

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe29%ReversingLabsWin32.Trojan.AgentTesla
        C:\Users\user\AppData\Roaming\rEyeIgLUX.exe29%ReversingLabsWin32.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        21.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        21.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        21.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        21.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        21.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.0.PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        21.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        james12.ddns.net9%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.sajatypeworks.com60%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.founder.com.cn/cnJ-90%Avira URL Cloudsafe
        http://www.carterandcone.com60%Avira URL Cloudsafe
        http://www.tiro.com8o0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.sandoll.co.krimale0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cnb-n0%Avira URL Cloudsafe
        http://www.carterandcone.comTC;0%Avira URL Cloudsafe
        http://www.urwpp.deBU0%Avira URL Cloudsafe
        http://www.fonts.comcoo0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.carterandcone.comter0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        james12.ddns.net0%Avira URL Cloudsafe
        http://www.chinhdo.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.fontbureau.com=0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.carterandcone.comgy0%Avira URL Cloudsafe
        http://www.carterandcone.comTC0%URL Reputationsafe
        http://www.founder.com.cn/cn/gHAV9-0%Avira URL Cloudsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.sandoll.co.kr2010%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.tiro.comLo0%Avira URL Cloudsafe
        http://www.carterandcone.comint0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cnb-/0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.fontbureau.comalsFSL0%Avira URL Cloudsafe
        http://www.tiro.comyo0%Avira URL Cloudsafe
        http://www.carterandcone.com?-e0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        james12.ddns.net
        194.5.98.48
        truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        low
        james12.ddns.nettrue
        • Avira URL Cloud: safe
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersGPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
          high
          http://www.fontbureau.com/designers/?PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
            high
            http://www.founder.com.cn/cn/bThePURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.sajatypeworks.com6PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676187914.000000000583B000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.fontbureau.com/designers?PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
              high
              http://www.tiro.comPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designersVPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.681889122.0000000005855000.00000004.00000001.sdmpfalse
                high
                http://www.founder.com.cn/cnJ-9PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677706047.000000000585D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.carterandcone.com6PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.tiro.com8oPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676719792.000000000583B000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.com/designersPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmp, PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.680419162.0000000005858000.00000004.00000001.sdmpfalse
                  high
                  http://www.goodfont.co.krPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://google.comPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmpfalse
                    high
                    http://www.fontbureau.com/designersNPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.680729857.0000000005855000.00000004.00000001.sdmpfalse
                      high
                      http://www.sajatypeworks.comPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676187914.000000000583B000.00000004.00000001.sdmp, PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.typography.netDPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cn/cThePURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.sandoll.co.krimalePURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677236226.0000000005829000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://fontfabrik.comPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cnb-nPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677706047.000000000585D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.carterandcone.comTC;PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.urwpp.deBUPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fonts.comcooPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676311116.000000000583B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.galapagosdesign.com/DPleasePURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.carterandcone.comterPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678289086.000000000585E000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.com/designers/frere-user.html/)PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.681008377.0000000005855000.00000004.00000001.sdmpfalse
                        high
                        http://www.fonts.comPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                          high
                          http://www.sandoll.co.krPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.urwpp.deDPleasePURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.urwpp.dePURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.zhongyicts.com.cnPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.chinhdo.comdhcpmon.exe, 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.sakkal.comPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designerstPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682041422.0000000005855000.00000004.00000001.sdmpfalse
                            high
                            http://www.fontbureau.com=PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            http://www.apache.org/licenses/LICENSE-2.0PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                              high
                              http://www.fontbureau.comPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmp, PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpfalse
                                high
                                http://www.galapagosdesign.com/PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.684013701.000000000582D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comFPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comePURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comgyPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.carterandcone.comTCPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678190939.000000000585E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cn/gHAV9-PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677869895.0000000005824000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.fontbureau.comaPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717454894.0000000005820000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comdPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.sandoll.co.kr201PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677236226.0000000005829000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.carterandcone.comlPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers)PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.681513299.0000000005855000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.tiro.comLoPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676697952.000000000583B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.carterandcone.comintPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cnPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmp, PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677720141.0000000005824000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.founder.com.cn/cnb-/PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.677706047.000000000585D000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comalsFSLPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.682391014.0000000005824000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.com/designers8PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000002.717601775.0000000006AE2000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.tiro.comyoPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.676752950.000000000583B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fontbureau.com/designers/PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.680353179.0000000005858000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.carterandcone.com?-ePURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe, 00000000.00000003.678405828.000000000585E000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          194.5.98.48
                                          james12.ddns.netNetherlands
                                          208476DANILENKODEtrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:526551
                                          Start date:22.11.2021
                                          Start time:18:39:26
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 12m 41s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:29
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@24/25@17/2
                                          EGA Information:Failed
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                          • TCP Packets have been reduced to 100
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          18:40:32API Interceptor830x Sleep call for process: PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe modified
                                          18:40:37API Interceptor144x Sleep call for process: powershell.exe modified
                                          18:40:50AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          18:40:59API Interceptor1x Sleep call for process: dhcpmon.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          194.5.98.48ESTADO+10+DE+NOVIEMBRE+DE+2021-101121.pdf.jsGet hashmaliciousBrowse
                                            PURCHASE ORDER EXPORT1024 SCANNED DOC_pdf.exeGet hashmaliciousBrowse
                                              XdZ4ad8GpU.exeGet hashmaliciousBrowse
                                                we-ship-SNE-9874657.xlsxGet hashmaliciousBrowse
                                                  XnQ8NBKkhW.exeGet hashmaliciousBrowse
                                                    YdACOWCggQ.exeGet hashmaliciousBrowse
                                                      Import order764536.xlsxGet hashmaliciousBrowse
                                                        Bill of Lading, Invoice, & Packing LIsts.exeGet hashmaliciousBrowse
                                                          Quotation Price - Double R Trading b.v.exeGet hashmaliciousBrowse
                                                            Nizi International S.A. #New Order.exeGet hashmaliciousBrowse
                                                              DHL Import Clearance #U2013 Consignment #6225954602.exeGet hashmaliciousBrowse
                                                                soa5.exeGet hashmaliciousBrowse
                                                                  soa5.exeGet hashmaliciousBrowse
                                                                    PO SKP 149684.jarGet hashmaliciousBrowse
                                                                      TECHNICAL OFFERS.exeGet hashmaliciousBrowse
                                                                        17New P.O_signed.exeGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          james12.ddns.netPURCHASE ORDER EXPORT1024 SCANNED DOC_pdf.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.48
                                                                          PURCHASE ORDER EXPORTO52022 IMG00987066 SCANNED DOC_PDF.exeGet hashmaliciousBrowse
                                                                          • 91.193.75.132
                                                                          qd9HlAs3XV.exeGet hashmaliciousBrowse
                                                                          • 91.193.75.132
                                                                          wDIaJji4Vv.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.7
                                                                          hbvo9thTAX.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.7
                                                                          PURCHASE ORDER EXPORT0022355048 SCAN DOC_PDF.exeGet hashmaliciousBrowse
                                                                          • 79.134.225.7

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          DANILENKODEpurchase order Nl32855 (1).exeGet hashmaliciousBrowse
                                                                          • 194.5.98.139
                                                                          8mTwU7uNFV.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.131
                                                                          KNpmkMT5f3.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.12
                                                                          scvRj4lo1E.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.11
                                                                          #RFQ ORDER484425083-NJ.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.120
                                                                          RzUbuIerbF.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.207
                                                                          SIGNED_COPY_IMG_ORDER_...REQUEST_IMG_123456.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.5
                                                                          NOA MU21S0029729.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.207
                                                                          New purchase order 4940009190,pdf.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.23
                                                                          Fattura_del_cliente_V406307-scan.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.165
                                                                          ML822VOG-R11.docGet hashmaliciousBrowse
                                                                          • 194.5.97.131
                                                                          6Xzgfme0z6.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.131
                                                                          ESTADO+10+DE+NOVIEMBRE+DE+2021-101121.pdf.jsGet hashmaliciousBrowse
                                                                          • 194.5.98.48
                                                                          RTQFHtPW9x.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.107
                                                                          Document#053681.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.204
                                                                          4vo6jE1nlG.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.54
                                                                          ORDEN DE COMPRA-PDF.exeGet hashmaliciousBrowse
                                                                          • 194.5.97.149
                                                                          Confirmation Transfer Copy MT102-Ref No#01018.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.105
                                                                          Confirmation Transfer Copy MT102-Ref No-01018.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.105
                                                                          PAYMENT COPY EXPORT1024 SCANNED DOCUMENT_pdf.exeGet hashmaliciousBrowse
                                                                          • 194.5.98.30

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):528896
                                                                          Entropy (8bit):7.701920893284902
                                                                          Encrypted:false
                                                                          SSDEEP:12288:/sRtD00gTfhllXbNGMporp7d1tEQE6Zfj:/sRC0gTpXBIp7d3np1
                                                                          MD5:7BA9068DE522FCEF76DD98DC7E1D6F4E
                                                                          SHA1:9A7B48EB45986398308B356851638545189070B4
                                                                          SHA-256:3A247872A0D5D1686D14A0FCDE7143A0F501A3520ABD05DC261DBB4373DE29FB
                                                                          SHA-512:DF562F256CD32FEABC8FC764E3D2CD3EE4E1EE2D90FA4C8059DB5E4442EFEF830E99E7D0B4FEEDC8850852FBFF085EE9F4241563D7BE34CAC7C4BE4D25C71B89
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.a..............0..............&... ...@....@.. ....................................@.................................\&..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......xj...F......k...L....u..........................................b..}......}......(,.....*r..}......}.....r...p(,.....**...(3....*...|7...%(.....{....X(......|7...%(.....{....X(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*....0..A..........A...%...%...%...%..........%.r...p.%.rI..p.%.r[..p.(......+..*^..}.....(.......(.....*....0..,.......
                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe.log
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):659
                                                                          Entropy (8bit):5.2661344468761735
                                                                          Encrypted:false
                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2U/N0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2U/Pz2T
                                                                          MD5:3C153E5BCCA87FF6E091634EE977299F
                                                                          SHA1:6DE85803E7FA00C03CE809243EB8162DF036430A
                                                                          SHA-256:F0705BDCE38ADB33CA8B414DDB85718985660BC73E0BE4439E0A94384A37797D
                                                                          SHA-512:54BDFFA72A0D4122B5B79B092D7E8C3213EB30AE2858188748E52ADD65ADE2F2F887892C06BB8ED790C19F1ED949176B9A9F0113679EF38B74387A189E6DC745
                                                                          Malicious:true
                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\aa840ffb0dd775d9eb8d66c8a8e8cdd9\System.Transactions.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):659
                                                                          Entropy (8bit):5.2661344468761735
                                                                          Encrypted:false
                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2U/N0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2U/Pz2T
                                                                          MD5:3C153E5BCCA87FF6E091634EE977299F
                                                                          SHA1:6DE85803E7FA00C03CE809243EB8162DF036430A
                                                                          SHA-256:F0705BDCE38ADB33CA8B414DDB85718985660BC73E0BE4439E0A94384A37797D
                                                                          SHA-512:54BDFFA72A0D4122B5B79B092D7E8C3213EB30AE2858188748E52ADD65ADE2F2F887892C06BB8ED790C19F1ED949176B9A9F0113679EF38B74387A189E6DC745
                                                                          Malicious:false
                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\aa840ffb0dd775d9eb8d66c8a8e8cdd9\System.Transactions.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):19672
                                                                          Entropy (8bit):5.5736404828152555
                                                                          Encrypted:false
                                                                          SSDEEP:384:3tjosG0glZCfBm1cS0nujul+O3oIpaeQ99VYcg+M1M0s0UP7zA:4lMQ+TuCln4AatZYFCd0Aw
                                                                          MD5:56E80992D0E90DDB7556402340E3887D
                                                                          SHA1:66EA823C0A75D9EAD4A59CCB234B180EE6721DCC
                                                                          SHA-256:F6FE3B497BDB21DD11F72C27C7978D36CCB5B11121B3F2848B0FF3EEE22F0D56
                                                                          SHA-512:DB881E4C11C0C70F6473C1D0F7B38A4F7AA2D6A572D49A94764C494BB80F114E50ABF0777B889DE088D4F033BFFBFF6E423F9B8DE0F82B82EF3736D2B4870A81
                                                                          Malicious:false
                                                                          Preview: @...e.......................~.r.r...T...6.s..........@..........H...............<@.^.L."My...:B..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3byeis5t.mkj.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cove0s0s.3bl.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rugwc3rr.lmi.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t03bphms.jnb.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tegsgvfz.cq0.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujndjznq.u24.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ziiazx4u.hf1.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvqmwook.lku.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\tmp467D.tmp
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:XML 1.0 document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1596
                                                                          Entropy (8bit):5.136880481438
                                                                          Encrypted:false
                                                                          SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta7xvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTyv
                                                                          MD5:C8A9CED37FE1D102C8DA64F64112F294
                                                                          SHA1:B907D3DEE8303EC07A6F2B7B0073D2CDC5CF3BD2
                                                                          SHA-256:63E7E5D7B989B28A26CF5BC25499564ECBD960420680EC91184727F40D384A88
                                                                          SHA-512:257A9798E335CACF4EF9925311FEE66510B79188A2435FAD6947CEC364CE28A19AA79191DF0FD1BCCE2253B07B35B52110AAAB530F928F55F84520A6F0A4A352
                                                                          Malicious:true
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                          C:\Users\user\AppData\Local\Temp\tmpA8E1.tmp
                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          File Type:XML 1.0 document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1596
                                                                          Entropy (8bit):5.136880481438
                                                                          Encrypted:false
                                                                          SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta7xvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTyv
                                                                          MD5:C8A9CED37FE1D102C8DA64F64112F294
                                                                          SHA1:B907D3DEE8303EC07A6F2B7B0073D2CDC5CF3BD2
                                                                          SHA-256:63E7E5D7B989B28A26CF5BC25499564ECBD960420680EC91184727F40D384A88
                                                                          SHA-512:257A9798E335CACF4EF9925311FEE66510B79188A2435FAD6947CEC364CE28A19AA79191DF0FD1BCCE2253B07B35B52110AAAB530F928F55F84520A6F0A4A352
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):232
                                                                          Entropy (8bit):7.024371743172393
                                                                          Encrypted:false
                                                                          SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                          MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                          SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                          SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                          SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                          Malicious:false
                                                                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:ISO-8859 text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:zS6Bt:zJb
                                                                          MD5:447E56D9F2F69A68280F058717E47720
                                                                          SHA1:43084A5985A2B4483F0A04DAF6FEF25282FE75B2
                                                                          SHA-256:981B88BE484260AFF3988F2CB00BF3603454209CB083B15D059468D46207B95D
                                                                          SHA-512:8819BBE46FECCDCBC78EB82A5152D3530C40C5121A2162AB3617C66004EA40579C958B676F149F37D620317BEA1D2DB1F70467F8032DA773D9A39F36F0F7B01D
                                                                          Malicious:true
                                                                          Preview: oCt7..H
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):40
                                                                          Entropy (8bit):5.153055907333276
                                                                          Encrypted:false
                                                                          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                          MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                          Malicious:false
                                                                          Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):426840
                                                                          Entropy (8bit):7.999608491116724
                                                                          Encrypted:true
                                                                          SSDEEP:12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
                                                                          MD5:963D5E2C9C0008DFF05518B47C367A7F
                                                                          SHA1:C183D601FABBC9AC8FBFA0A0937DECC677535E74
                                                                          SHA-256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
                                                                          SHA-512:0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
                                                                          Malicious:false
                                                                          Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                                                          C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):528896
                                                                          Entropy (8bit):7.701920893284902
                                                                          Encrypted:false
                                                                          SSDEEP:12288:/sRtD00gTfhllXbNGMporp7d1tEQE6Zfj:/sRC0gTpXBIp7d3np1
                                                                          MD5:7BA9068DE522FCEF76DD98DC7E1D6F4E
                                                                          SHA1:9A7B48EB45986398308B356851638545189070B4
                                                                          SHA-256:3A247872A0D5D1686D14A0FCDE7143A0F501A3520ABD05DC261DBB4373DE29FB
                                                                          SHA-512:DF562F256CD32FEABC8FC764E3D2CD3EE4E1EE2D90FA4C8059DB5E4442EFEF830E99E7D0B4FEEDC8850852FBFF085EE9F4241563D7BE34CAC7C4BE4D25C71B89
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.a..............0..............&... ...@....@.. ....................................@.................................\&..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......xj...F......k...L....u..........................................b..}......}......(,.....*r..}......}.....r...p(,.....**...(3....*...|7...%(.....{....X(......|7...%(.....{....X(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*....0..A..........A...%...%...%...%..........%.r...p.%.rI..p.%.r[..p.(......+..*^..}.....(.......(.....*....0..,.......
                                                                          C:\Users\user\AppData\Roaming\rEyeIgLUX.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:false
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          C:\Users\user\Documents\20211122\PowerShell_transcript.849224.0aNFpDSB.20211122184104.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):5785
                                                                          Entropy (8bit):5.395485214371877
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZzj5NnqDo1ZpZlj5NnqDo1ZsgWojZ6j5NnqDo1ZUd44jZo:6
                                                                          MD5:CE31543FC89019B00EDF04B681802872
                                                                          SHA1:F5B84C944798AD2AD34E9277332C54A1939C7CC3
                                                                          SHA-256:B380E9A7D74681929EEEF91BC19201A5C00EBEF1A604536C75A3D6DF3AE130B0
                                                                          SHA-512:114425CB207CDBBECFA65C8E7A8676F87545F42560181D8A189367963F086DEC853B3AD656B5D7D7AF00A4EB9565510220338E6EF9361E5192E7A6BEF25E0FB2
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211122184106..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\rEyeIgLUX.exe..Process ID: 4876..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211122184106..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\rEyeIgLUX.exe..**********************..Windows PowerShell transcript start..Start time: 20211122184438..Username: computer\user..RunAs User: computer\user.
                                                                          C:\Users\user\Documents\20211122\PowerShell_transcript.849224.IStSMB+a.20211122184034.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):3594
                                                                          Entropy (8bit):5.405633910560106
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZOj5NrqDo1Zj7FZIj5NrqDo1Zwqjx0cx0cx0OZp:2YFFR
                                                                          MD5:CEE0A42CD1D7EE13BBA3A74641330AE7
                                                                          SHA1:72103F998981C24954D90BB61D80345DA749CA9C
                                                                          SHA-256:3B90CCABC7B664922F3A0C1E9287B91E7B11EB91D73BC1290A3940EFF15A48E6
                                                                          SHA-512:8B88FCA3E064005B007B7007F32DF822643E52081EA1F1490C2BAD6D966620535863F5B4E2D55407A186CD111B81D1125D983DDEBD50924331B7F46AD5C3A8F5
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211122184037..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe..Process ID: 7164..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211122184037..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe..**********************..Command start time: 20211122184351..**********************..PS>T
                                                                          C:\Users\user\Documents\20211122\PowerShell_transcript.849224.QY1C3Hux.20211122184036.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):5785
                                                                          Entropy (8bit):5.394923057421319
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZxj5NSqDo1ZfZPj5NSqDo1ZRgWojZRj5NSqDo1Z7d44PZ0:w
                                                                          MD5:2A9419D7EC38BD059C90FF679722B004
                                                                          SHA1:A74F655BA50DFC10EC477351E96B8A6C7B457149
                                                                          SHA-256:A8E583DC9A0B5246E118492D0AB074E75C2840F2F182083C4D804D11DAADC11B
                                                                          SHA-512:43F576D8C4B330D0B9E2F1594707ED0D81EDFDA9AC851A2CB13812076DF796647A93C99245F9BE7B7E45746B5FBA57D42DF5E5254691A5E464C401037ED37278
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211122184038..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\rEyeIgLUX.exe..Process ID: 1364..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211122184038..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\rEyeIgLUX.exe..**********************..Windows PowerShell transcript start..Start time: 20211122184506..Username: computer\user..RunAs User: computer\user.
                                                                          C:\Users\user\Documents\20211122\PowerShell_transcript.849224.yB0+MJmL.20211122184103.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):3691
                                                                          Entropy (8bit):5.225781823272133
                                                                          Encrypted:false
                                                                          SSDEEP:96:BZIj5NEqDo1ZLZjj5NEqDo1ZllzvOzGMzGMzwxZD:SvyGgGgwn
                                                                          MD5:947F79D947B2B697AC196E32915D49E4
                                                                          SHA1:95320BB3FD390079A0E19061959FEE626FAAF6EC
                                                                          SHA-256:030932EA39336FE1895D22316F99790C1143F08BBA8002B4339600F438666F6E
                                                                          SHA-512:92B986BC83583F9C6315B1B8EE99711361540C296518FB46EAA5E4D9600E64E1B22C9A0E2D9BAA07A1DA960F4CA69EA6B1E15376EA1936EF2A2224991E6255F2
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211122184105..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 849224 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..Process ID: 7116..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211122184105..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe..**********************..Windows PowerShell transcript start..Start time: 20211122184546..Username: computer\user..RunAs User: computer\

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.701920893284902
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          File size:528896
                                                                          MD5:7ba9068de522fcef76dd98dc7e1d6f4e
                                                                          SHA1:9a7b48eb45986398308b356851638545189070b4
                                                                          SHA256:3a247872a0d5d1686d14a0fcde7143a0f501a3520abd05dc261dbb4373de29fb
                                                                          SHA512:df562f256cd32feabc8fc764e3d2cd3ee4e1ee2d90fa4c8059db5e4442efef830e99e7d0b4feedc8850852fbff085ee9f4241563d7be34cac7c4be4d25c71b89
                                                                          SSDEEP:12288:/sRtD00gTfhllXbNGMporp7d1tEQE6Zfj:/sRC0gTpXBIp7d3np1
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.a..............0..............&... ...@....@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:00828e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4826ae
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x619B32FA [Mon Nov 22 06:04:42 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v2.0.50727
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          aas
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [esi], cl
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [edx+08h], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8265c0x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x5f4.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x806c40x80800False0.848606213521data7.71310269817IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x840000x5f40x600False0.430989583333data4.18745646157IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x860000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_VERSION0x840900x364data
                                                                          RT_MANIFEST0x844040x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2018
                                                                          Assembly Version1.0.0.0
                                                                          InternalNameIBindableIterat.exe
                                                                          FileVersion1.0.0.0
                                                                          CompanyName
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductNamePortalOverlapDetector
                                                                          ProductVersion1.0.0.0
                                                                          FileDescriptionPortalOverlapDetector
                                                                          OriginalFilenameIBindableIterat.exe

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          11/22/21-18:40:50.223437UDP254DNS SPOOF query response with TTL of 1 min. and no authority53591238.8.4.4192.168.2.4
                                                                          11/22/21-18:40:50.460878TCP2025019ET TROJAN Possible NanoCore C2 60B497496327192.168.2.4194.5.98.48
                                                                          11/22/21-18:40:56.573634TCP2025019ET TROJAN Possible NanoCore C2 60B497506327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:02.432617UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580288.8.4.4192.168.2.4
                                                                          11/22/21-18:41:03.037286TCP2025019ET TROJAN Possible NanoCore C2 60B497536327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:10.212791UDP254DNS SPOOF query response with TTL of 1 min. and no authority53530978.8.4.4192.168.2.4
                                                                          11/22/21-18:41:10.596063TCP2025019ET TROJAN Possible NanoCore C2 60B497546327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:17.075973UDP254DNS SPOOF query response with TTL of 1 min. and no authority53623898.8.4.4192.168.2.4
                                                                          11/22/21-18:41:17.300188TCP2025019ET TROJAN Possible NanoCore C2 60B497566327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:23.311968UDP254DNS SPOOF query response with TTL of 1 min. and no authority53499108.8.4.4192.168.2.4
                                                                          11/22/21-18:41:23.468587TCP2025019ET TROJAN Possible NanoCore C2 60B497576327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:29.666241UDP254DNS SPOOF query response with TTL of 1 min. and no authority53558548.8.4.4192.168.2.4
                                                                          11/22/21-18:41:29.799446TCP2025019ET TROJAN Possible NanoCore C2 60B497586327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:36.269051TCP2025019ET TROJAN Possible NanoCore C2 60B497616327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:43.646812UDP254DNS SPOOF query response with TTL of 1 min. and no authority53566278.8.4.4192.168.2.4
                                                                          11/22/21-18:41:43.922060TCP2025019ET TROJAN Possible NanoCore C2 60B497736327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:50.327657TCP2025019ET TROJAN Possible NanoCore C2 60B498006327192.168.2.4194.5.98.48
                                                                          11/22/21-18:41:56.541259UDP254DNS SPOOF query response with TTL of 1 min. and no authority53617218.8.4.4192.168.2.4
                                                                          11/22/21-18:41:57.111015TCP2025019ET TROJAN Possible NanoCore C2 60B498016327192.168.2.4194.5.98.48
                                                                          11/22/21-18:42:03.632540TCP2025019ET TROJAN Possible NanoCore C2 60B498036327192.168.2.4194.5.98.48
                                                                          11/22/21-18:42:09.953892TCP2025019ET TROJAN Possible NanoCore C2 60B498056327192.168.2.4194.5.98.48
                                                                          11/22/21-18:42:16.648975TCP2025019ET TROJAN Possible NanoCore C2 60B498146327192.168.2.4194.5.98.48
                                                                          11/22/21-18:42:29.880554UDP254DNS SPOOF query response with TTL of 1 min. and no authority53496128.8.4.4192.168.2.4
                                                                          11/22/21-18:42:30.013654TCP2025019ET TROJAN Possible NanoCore C2 60B498336327192.168.2.4194.5.98.48
                                                                          11/22/21-18:42:35.947030TCP2025019ET TROJAN Possible NanoCore C2 60B498346327192.168.2.4194.5.98.48

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 22, 2021 18:40:50.232976913 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:50.388780117 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:50.388885021 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:50.460877895 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:50.787734985 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:50.787888050 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:50.868174076 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:50.868252993 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:50.995090008 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:50.998714924 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.132164955 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.132383108 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.463701010 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.464876890 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.650705099 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.650774002 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.650999069 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.780956030 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.781344891 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.782773018 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.782860041 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.782886982 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.783016920 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.783039093 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.909703016 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.909874916 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.909960985 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.909995079 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.910418034 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.910497904 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.910958052 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.911212921 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.911328077 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.911448002 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.911655903 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.911673069 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.911761999 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:51.911828995 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:51.911844969 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.041126966 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.041179895 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.041419983 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.041433096 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.041558027 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.041583061 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.041620016 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.041632891 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.041646004 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.041728973 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.041735888 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.043709040 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.043874025 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.044480085 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.044608116 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.045131922 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.045378923 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.045392990 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.045572996 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.047941923 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.047976971 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.048021078 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.048044920 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.048069954 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.048185110 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.048201084 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.048202038 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.048280954 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.169321060 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.169533014 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.169826031 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.170761108 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.172266006 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.172291040 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.172307014 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.172352076 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.172369957 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.172388077 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.172470093 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.172487974 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.172727108 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.172935963 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.174746990 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.174894094 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.175270081 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.175391912 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.175560951 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.175699949 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.177120924 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.177846909 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.178771973 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.179096937 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.179105997 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.179117918 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.179138899 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.179255962 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.179266930 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.179374933 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.179394960 CET632749749194.5.98.48192.168.2.4
                                                                          Nov 22, 2021 18:40:52.179795027 CET497496327192.168.2.4194.5.98.48
                                                                          Nov 22, 2021 18:40:52.182543039 CET632749749194.5.98.48192.168.2.4

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 22, 2021 18:40:50.200015068 CET5912353192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:40:50.223437071 CET53591238.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:40:56.423813105 CET5453153192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:40:56.442034006 CET53545318.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:02.410928011 CET5802853192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:02.432616949 CET53580288.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:10.181791067 CET5309753192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:10.212790966 CET53530978.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:17.054394960 CET6238953192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:17.075973034 CET53623898.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:23.290021896 CET4991053192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:23.311968088 CET53499108.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:29.646991968 CET5585453192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:29.666240931 CET53558548.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:35.981303930 CET6454953192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:35.999191999 CET53645498.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:43.626094103 CET5662753192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:43.646811962 CET53566278.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:50.163022995 CET6480153192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:50.181020021 CET53648018.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:41:56.512414932 CET6172153192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:41:56.541259050 CET53617218.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:42:03.480258942 CET5125553192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:42:03.499874115 CET53512558.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:42:09.781270027 CET6152253192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:42:09.800605059 CET53615228.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:42:16.481969118 CET5233753192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:42:16.499813080 CET53523378.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:42:22.479844093 CET5504653192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:42:22.500077009 CET53550468.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:42:29.858758926 CET4961253192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:42:29.880553961 CET53496128.8.4.4192.168.2.4
                                                                          Nov 22, 2021 18:42:35.795295000 CET4928553192.168.2.48.8.4.4
                                                                          Nov 22, 2021 18:42:35.814043045 CET53492858.8.4.4192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Nov 22, 2021 18:40:50.200015068 CET192.168.2.48.8.4.40x131dStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:40:56.423813105 CET192.168.2.48.8.4.40x631aStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:02.410928011 CET192.168.2.48.8.4.40xfb51Standard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:10.181791067 CET192.168.2.48.8.4.40xb48aStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:17.054394960 CET192.168.2.48.8.4.40x3e13Standard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:23.290021896 CET192.168.2.48.8.4.40xc6d2Standard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:29.646991968 CET192.168.2.48.8.4.40xfbe9Standard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:35.981303930 CET192.168.2.48.8.4.40xcc7bStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:43.626094103 CET192.168.2.48.8.4.40x968bStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:50.163022995 CET192.168.2.48.8.4.40xa4ecStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:56.512414932 CET192.168.2.48.8.4.40x2f36Standard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:03.480258942 CET192.168.2.48.8.4.40x8afcStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:09.781270027 CET192.168.2.48.8.4.40x711bStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:16.481969118 CET192.168.2.48.8.4.40x7c11Standard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:22.479844093 CET192.168.2.48.8.4.40x35ecStandard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:29.858758926 CET192.168.2.48.8.4.40x9451Standard query (0)james12.ddns.netA (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:35.795295000 CET192.168.2.48.8.4.40xff88Standard query (0)james12.ddns.netA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Nov 22, 2021 18:40:50.223437071 CET8.8.4.4192.168.2.40x131dNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:40:56.442034006 CET8.8.4.4192.168.2.40x631aNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:02.432616949 CET8.8.4.4192.168.2.40xfb51No error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:10.212790966 CET8.8.4.4192.168.2.40xb48aNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:17.075973034 CET8.8.4.4192.168.2.40x3e13No error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:23.311968088 CET8.8.4.4192.168.2.40xc6d2No error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:29.666240931 CET8.8.4.4192.168.2.40xfbe9No error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:35.999191999 CET8.8.4.4192.168.2.40xcc7bNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:43.646811962 CET8.8.4.4192.168.2.40x968bNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:50.181020021 CET8.8.4.4192.168.2.40xa4ecNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:41:56.541259050 CET8.8.4.4192.168.2.40x2f36No error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:03.499874115 CET8.8.4.4192.168.2.40x8afcNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:09.800605059 CET8.8.4.4192.168.2.40x711bNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:16.499813080 CET8.8.4.4192.168.2.40x7c11No error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:22.500077009 CET8.8.4.4192.168.2.40x35ecNo error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:29.880553961 CET8.8.4.4192.168.2.40x9451No error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)
                                                                          Nov 22, 2021 18:42:35.814043045 CET8.8.4.4192.168.2.40xff88No error (0)james12.ddns.net194.5.98.48A (IP address)IN (0x0001)

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Start time:18:40:27
                                                                          Start date:22/11/2021
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe"
                                                                          Imagebase:0xd60000
                                                                          File size:528896 bytes
                                                                          MD5 hash:7BA9068DE522FCEF76DD98DC7E1D6F4E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.715793394.00000000035A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.717130946.0000000004841000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.716851621.0000000004632000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.716174408.0000000003729000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          General

                                                                          Start time:18:40:33
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          Imagebase:0xa80000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:40:34
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:40:34
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
                                                                          Imagebase:0xa80000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:40:35
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:40:35
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmp467D.tmp
                                                                          Imagebase:0xb80000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:40:37
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:40:39
                                                                          Start date:22/11/2021
                                                                          Path:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\PURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exe
                                                                          Imagebase:0x850000
                                                                          File size:528896 bytes
                                                                          MD5 hash:7BA9068DE522FCEF76DD98DC7E1D6F4E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.713495925.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.709764931.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.755956371.00000000043A4000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.707589363.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.756004455.00000000043DB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.713893383.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Reputation:low

                                                                          General

                                                                          Start time:18:40:58
                                                                          Start date:22/11/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                                          Imagebase:0xb10000
                                                                          File size:528896 bytes
                                                                          MD5 hash:7BA9068DE522FCEF76DD98DC7E1D6F4E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.775456783.0000000003281000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.775731201.0000000003406000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.777582585.0000000004312000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.778491014.0000000004520000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Antivirus matches:
                                                                          • Detection: 29%, ReversingLabs
                                                                          Reputation:low

                                                                          General

                                                                          Start time:18:41:00
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Imagebase:0xa80000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:41:01
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:41:01
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rEyeIgLUX.exe
                                                                          Imagebase:0xa80000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET

                                                                          General

                                                                          Start time:18:41:02
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Start time:18:41:03
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rEyeIgLUX" /XML "C:\Users\user\AppData\Local\Temp\tmpA8E1.tmp
                                                                          Imagebase:0xb80000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Start time:18:41:05
                                                                          Start date:22/11/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Start time:18:41:07
                                                                          Start date:22/11/2021
                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                          Imagebase:0x5d0000
                                                                          File size:528896 bytes
                                                                          MD5 hash:7BA9068DE522FCEF76DD98DC7E1D6F4E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000015.00000000.768345508.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000015.00000000.766081622.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.787863880.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.790219362.0000000002D91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000015.00000000.770033827.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.790326430.0000000003D91000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.790326430.0000000003D91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000015.00000000.766641531.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >