Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TR0398734893 50601251.exe

Overview

General Information

Sample Name:TR0398734893 50601251.exe
Analysis ID:526553
MD5:f245cb3e4ecc54a0883371b525eb0bb1
SHA1:71ff34129913ac8a924a28c7523885f11ca44a1c
SHA256:8371daec5ed076caa1cfdac1ce0ab350744de7d71108ae5efda80e4c54ab1d0e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • TR0398734893 50601251.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\TR0398734893 50601251.exe" MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • powershell.exe (PID: 6952 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6968 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TR0398734893 50601251.exe (PID: 4260 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
      • schtasks.exe (PID: 6648 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6712 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • TR0398734893 50601251.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\TR0398734893 50601251.exe" 0 MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • powershell.exe (PID: 1936 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 2944 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TR0398734893 50601251.exe (PID: 7024 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • TR0398734893 50601251.exe (PID: 6984 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • dhcpmon.exe (PID: 6812 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • dhcpmon.exe (PID: 3516 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 60 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 75 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Suspicius Add Task From User AppData TempShow sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, ProcessId: 6968
      Sigma detected: Powershell Defender ExclusionShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, ProcessId: 6952
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, ProcessId: 6952
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132821089554997111.6952.DefaultAppDomain.powershell

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: TR0398734893 50601251.exeVirustotal: Detection: 27%Perma Link
      Source: TR0398734893 50601251.exeReversingLabs: Detection: 24%
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 27%Perma Link
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeVirustotal: Detection: 27%Perma Link
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeReversingLabs: Detection: 24%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR
      Machine Learning detection for sampleShow sources
      Source: TR0398734893 50601251.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJoe Sandbox ML: detected
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpackAvira: Label: TR/NanoCore.fadte
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: TR0398734893 50601251.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: TR0398734893 50601251.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: global trafficTCP traffic: 192.168.2.7:49762 -> 185.140.53.131:9292
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: TR0398734893 50601251.exe, 00000001.00000003.255583071.0000000005D74000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: TR0398734893 50601251.exe, 00000001.00000003.258189413.0000000005D78000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://www.chinhdo.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: TR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
      Source: TR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: TR0398734893 50601251.exe, 00000001.00000003.252766319.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: TR0398734893 50601251.exe, 00000001.00000003.255015833.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.cV
      Source: TR0398734893 50601251.exe, 00000001.00000003.254947421.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: TR0398734893 50601251.exe, 00000001.00000003.254884642.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
      Source: TR0398734893 50601251.exe, 00000001.00000003.262739726.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownDNS traffic detected: queries for: 9292.freemyip.com
      Source: dhcpmon.exe, 00000016.00000002.329110876.0000000001098000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: TR0398734893 50601251.exe, 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: TR0398734893 50601251.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_0136D774
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_0741C650
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_07410C10
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_07413A2F
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_074109C0
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_074109B0
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_00D86E81
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_055DE471
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_055DE480
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_055DBBD4
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_0568F5F8
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_05689788
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_0568A610
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_06B00040
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_00776E81
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_00FAD774
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_07050C00
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_07050C10
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_07053A2F
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_070509B0
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_070509C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00836E81
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0104D774
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F60C10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F60C00
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F609C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F609B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00756E81
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_02A0D774
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051B9198
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051B6228
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051BB4B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051B01D8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051B01CA
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E80C00
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E80C10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E83A2F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E809C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E809B0
      Source: TR0398734893 50601251.exe, 00000001.00000002.303597997.0000000007360000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000001.00000003.267353997.0000000007672000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScopeTr.exeL vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000000.288718625.0000000000E15000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameScopeTr.exeL vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000013.00000002.379544931.0000000000805000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameScopeTr.exeL vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000013.00000002.386085520.0000000006D50000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: bLtzKqfzc.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: TR0398734893 50601251.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: bLtzKqfzc.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: TR0398734893 50601251.exeVirustotal: Detection: 27%
      Source: TR0398734893 50601251.exeReversingLabs: Detection: 24%
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile read: C:\Users\user\Desktop\TR0398734893 50601251.exeJump to behavior
      Source: TR0398734893 50601251.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe "C:\Users\user\Desktop\TR0398734893 50601251.exe"
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe "C:\Users\user\Desktop\TR0398734893 50601251.exe" 0
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmp
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Users\user\AppData\Local\Temp\tmp20D5.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@28/16@12/2
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMutant created: \Sessions\1\BaseNamedObjects\rTEtOISOUCyAZVrl
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6da65a1d-13b4-4cf2-99da-e8e872dd1f17}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: TR0398734893 50601251.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: TR0398734893 50601251.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_0568B5E0 push eax; retf
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_056869F8 pushad ; retf
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_056869FA push esp; retf
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_07059A78 push esp; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F69F57 pushad ; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F68C98 push E40742C4h; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F662BF push es; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F608B8 push es; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051BE3E9 push 04051C8Eh; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051BA9BF push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E89F57 pushad ; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E88C98 push E4056DC4h; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E8AC7D push FFFFFF8Bh; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E862BA push es; iretd
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E808B8 push es; ret
      Source: initial sampleStatic PE information: section name: .text entropy: 7.71324859014
      Source: initial sampleStatic PE information: section name: .text entropy: 7.71324859014
      Source: initial sampleStatic PE information: section name: .text entropy: 7.71324859014
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to dropped file
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile opened: C:\Users\user\Desktop\TR0398734893 50601251.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.2e0c068.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.2dec068.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.2bbc160.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.dhcpmon.exe.2cfc160.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000016.00000002.330253981.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3516, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000002.330253981.0000000002CD1000.00000004.00000001.sdmp, dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000002.330253981.0000000002CD1000.00000004.00000001.sdmp, dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 6672Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep time: -9223372036854770s >= -30000s
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 6796Thread sleep time: -17524406870024063s >= -30000s
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 6704Thread sleep time: -36505s >= -30000s
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 6640Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 4256Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6836Thread sleep time: -32781s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6920Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4916Thread sleep time: -36741s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6728Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6481
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2089
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeWindow / User API: threadDelayed 6181
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeWindow / User API: threadDelayed 3148
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeWindow / User API: foregroundWindowGot 745
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 36505
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 32781
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 36741
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: TR0398734893 50601251.exe, 00000009.00000003.366346725.0000000001405000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMemory written: C:\Users\user\Desktop\TR0398734893 50601251.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMemory written: C:\Users\user\Desktop\TR0398734893 50601251.exe base: 400000 value starts with: 4D5A
      Adds a directory exclusion to Windows DefenderShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmp
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000002.526890507.0000000003502000.00000004.00000001.sdmpBinary or memory string: Program ManagerHaql
      Source: TR0398734893 50601251.exe, 00000009.00000002.524635312.0000000001B80000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
      Source: TR0398734893 50601251.exe, 00000009.00000002.526990999.00000000035E6000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: TR0398734893 50601251.exe, 00000009.00000002.524635312.0000000001B80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: TR0398734893 50601251.exe, 00000009.00000002.524635312.0000000001B80000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: TR0398734893 50601251.exe, 00000009.00000002.526377056.000000000323C000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: TR0398734893 50601251.exe, 00000009.00000002.524635312.0000000001B80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Users\user\Desktop\TR0398734893 50601251.exe VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Users\user\Desktop\TR0398734893 50601251.exe VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Users\user\Desktop\TR0398734893 50601251.exe VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: TR0398734893 50601251.exe, 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: TR0398734893 50601251.exe, 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: TR0398734893 50601251.exe, 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: TR0398734893 50601251.exe, 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture21Security Software Discovery21Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 526553 Sample: TR0398734893 50601251.exe Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 54 192.168.2.1 unknown unknown 2->54 56 9292.freemyip.com 2->56 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 13 other signatures 2->66 9 TR0398734893 50601251.exe 7 2->9         started        13 TR0398734893 50601251.exe 4 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 46 C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, PE32 9->46 dropped 48 C:\Users\...\bLtzKqfzc.exe:Zone.Identifier, ASCII 9->48 dropped 50 C:\Users\user\AppData\Local\...\tmp20D5.tmp, XML 9->50 dropped 52 C:\Users\...\TR0398734893 50601251.exe.log, ASCII 9->52 dropped 70 Adds a directory exclusion to Windows Defender 9->70 72 Injects a PE file into a foreign processes 9->72 19 TR0398734893 50601251.exe 1 12 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        signatures6 process7 dnsIp8 58 9292.freemyip.com 185.140.53.131, 49762, 49763, 49765 DAVID_CRAIGGG Sweden 19->58 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->44 dropped 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->68 28 schtasks.exe 1 19->28         started        30 schtasks.exe 19->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        file9 signatures10 process11 process12 36 conhost.exe 28->36         started        38 conhost.exe 30->38         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      TR0398734893 50601251.exe28%VirustotalBrowse
      TR0398734893 50601251.exe24%ReversingLabsWin32.Trojan.AgentTesla
      TR0398734893 50601251.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\bLtzKqfzc.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe28%VirustotalBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe24%ReversingLabsWin32.Trojan.AgentTesla
      C:\Users\user\AppData\Roaming\bLtzKqfzc.exe28%VirustotalBrowse
      C:\Users\user\AppData\Roaming\bLtzKqfzc.exe24%ReversingLabsWin32.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      9.0.TR0398734893 50601251.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.TR0398734893 50601251.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.TR0398734893 50601251.exe.5b90000.8.unpack100%AviraTR/NanoCore.fadteDownload File
      9.0.TR0398734893 50601251.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.TR0398734893 50601251.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.TR0398734893 50601251.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.TR0398734893 50601251.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.founder.cV0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.fontbureau.comB.TTF0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.founder.com.cn/cn50%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.chinhdo.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      9292.freemyip.com
      		185.140.53.131
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0TR0398734893 50601251.exe, 00000001.00000003.255583071.0000000005D74000.00000004.00000001.sdmpfalse
          		high
          http://www.fontbureau.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
              		high
              http://www.galapagosdesign.com/TR0398734893 50601251.exe, 00000001.00000003.262739726.0000000005DAD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/?TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                  		high
                  http://www.tiro.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comaTR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.cVTR0398734893 50601251.exe, 00000001.00000003.255015833.0000000005DAD000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comlTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cTheTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnTR0398734893 50601251.exe, 00000001.00000003.254947421.0000000005DAD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comB.TTFTR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn5TR0398734893 50601251.exe, 00000001.00000003.254884642.0000000005DAD000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                          		high
                          http://www.ascendercorp.com/typedesigners.htmlTR0398734893 50601251.exe, 00000001.00000003.258189413.0000000005D78000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comTR0398734893 50601251.exe, 00000001.00000003.252766319.0000000005D8B000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.chinhdo.comdhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sakkal.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              185.140.53.131
                              		9292.freemyip.comSweden
                              		209623DAVID_CRAIGGGfalse

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:526553
                              Start date:22.11.2021
                              Start time:18:41:25
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 14m 25s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:TR0398734893 50601251.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:39
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@28/16@12/2
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                              • TCP Packets have been reduced to 100
                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              18:42:30API Interceptor807x Sleep call for process: TR0398734893 50601251.exe modified
                              18:42:38API Interceptor59x Sleep call for process: powershell.exe modified
                              18:42:49Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\TR0398734893 50601251.exe" s>$(Arg0)
                              18:42:50AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              18:42:52Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                              18:42:55API Interceptor2x Sleep call for process: dhcpmon.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):693760
                              Entropy (8bit):7.310160824686315
                              Encrypted:false
                              SSDEEP:12288:BmsTtD00GPFzPtmeQzDYoO863iRWl91tMgTq:BmsTC0GNJmeQfYT3iRWf1yYq
                              MD5:F245CB3E4ECC54A0883371B525EB0BB1
                              SHA1:71FF34129913AC8A924A28C7523885F11CA44A1C
                              SHA-256:8371DAEC5ED076CAA1CFDAC1CE0AB350744DE7D71108AE5EFDA80E4C54AB1D0E
                              SHA-512:EDC01E12E62A2A127209E22D86BA647BEC26726CAF0C19ECF8F72C8D02277A6DF5FCA94E98C86377DCAC2C0C0A020F62FA59983AB959373E1F10D0F0C0A200B9
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 28%, Browse
                              • Antivirus: ReversingLabs, Detection: 24%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...OG.a..............0.............>0... ...@....@.. ....................................@................................../..O....@............................................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc..............................@..B................ 0......H.......xj..LG......k......(~..........................................b..}......}......(,.....*r..}......}.....r...p(,.....**...(3....*...|7...%(.....{....X(......|7...%(.....{....X(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*....0..A..........B...%...%...%...%..........%.r...p.%.rM..p.%.r[..p.(......+..*^..}.....(.......(.....*....0..,.......
                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:unknown
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TR0398734893 50601251.exe.log
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1310
                              Entropy (8bit):5.345651901398759
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                              MD5:D918C6A765EDB90D2A227FE23A3FEC98
                              SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                              SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                              SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                              Malicious:true
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1310
                              Entropy (8bit):5.345651901398759
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                              MD5:D918C6A765EDB90D2A227FE23A3FEC98
                              SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                              SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                              SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):22268
                              Entropy (8bit):5.6039199473406995
                              Encrypted:false
                              SSDEEP:384:zhtCDURZHX89PGKpCRYSBKn0jultI2DpaeQ99gtfpSx+T1MarZlbAV7KWD25ZBDW:zD8dGyL4K0CltZFat8tVCSfw0VW
                              MD5:A8FC0D308EE9DAC3FC72B4F6BE60F60B
                              SHA1:4EF8A31D28B4ABFA7E6F55A5E18F3C70B7E7FAE1
                              SHA-256:C27116B6EAA7BD5DE8C8F226ED3D02913665E57E3EFE47E571C3DA363FD9381F
                              SHA-512:387539BA110D128DCE17A9E97027F560A2ABD2DE1863D7DB4574A81D75E26FA58C0FAC187D4FA169464D65902AD66041FDB5F7B5001D5B63F7E2849E18F591B7
                              Malicious:false
                              Reputation:unknown
                              Preview: @...e...........v.........C.Q.=.=...T...,.r..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gkkyk2a.4bc.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sq4dvbwi.034.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\tmp20D5.tmp
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1612
                              Entropy (8bit):5.138222953452563
                              Encrypted:false
                              SSDEEP:24:2di4+S2qh/dp1Kd+y1modHUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtCxvn:cgeHMYrFdOFzOzN33ODOiDdKrsuTGv
                              MD5:D0F8ABDCF7855BE5F44D41001BC8B4B9
                              SHA1:F0491430B13410A02307F0F7BBC8801E10569759
                              SHA-256:A534BD817D80EF08E0134EB64A31FCFC730E9A8856B813F9736A1AFD4A65EC5E
                              SHA-512:D0E18C0D5D548627F72C5F7CF8F91FD4D5A3EAAF8C14D435A0BA767BB061D77472F710CEB5E85593C55C9D0656025A34FF21AD02C26BD8628ED08F39AFD0177F
                              Malicious:true
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvai
                              C:\Users\user\AppData\Local\Temp\tmp85D3.tmp
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1315
                              Entropy (8bit):5.15107733589013
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK09r9xtn:cbk4oL600QydbQxIYODOLedq329j
                              MD5:475679C76B7A902D42BD17BF990EF85B
                              SHA1:30D575A6ABB5C510673E64B023D421106BBFA8B0
                              SHA-256:A47745504B38190742287EB75F6498FF062CC4FF37B133F5D4357D98CF9B68E8
                              SHA-512:AEE89FE7DD3B6F536DF7D06927481BCA118E542B735E72524540588C57A00152D7867B4B8DE673FB429562E0A9F764781A45FE21A0D9439FD13EA6DF0181B868
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Local\Temp\tmp8F69.tmp
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1310
                              Entropy (8bit):5.109425792877704
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Local\Temp\tmpC245.tmp
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1612
                              Entropy (8bit):5.138222953452563
                              Encrypted:false
                              SSDEEP:24:2di4+S2qh/dp1Kd+y1modHUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtCxvn:cgeHMYrFdOFzOzN33ODOiDdKrsuTGv
                              MD5:D0F8ABDCF7855BE5F44D41001BC8B4B9
                              SHA1:F0491430B13410A02307F0F7BBC8801E10569759
                              SHA-256:A534BD817D80EF08E0134EB64A31FCFC730E9A8856B813F9736A1AFD4A65EC5E
                              SHA-512:D0E18C0D5D548627F72C5F7CF8F91FD4D5A3EAAF8C14D435A0BA767BB061D77472F710CEB5E85593C55C9D0656025A34FF21AD02C26BD8628ED08F39AFD0177F
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvai
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ISO-8859 text, with no line terminators
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:1G8:b
                              MD5:F194EBA2A5B030A89E0924B2723CFFF3
                              SHA1:D3770575989A6A60508D6C459BB7613885AAD7AA
                              SHA-256:5D3911ED91DB035F88564D64E1ACD3253D8EDABC0EFB50B83A13BFBBB8F84B46
                              SHA-512:790DEDC3AD650CE7EAFEBF38E78A27E37F2821EC416D892BE4AE163309BA348ABF36FE732456FAC8E32DAFCCAA6E88FF077CA8B4038A71B7D08B98181CD35390
                              Malicious:true
                              Reputation:unknown
                              Preview: .#..*..H
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):52
                              Entropy (8bit):4.678912497395635
                              Encrypted:false
                              SSDEEP:3:oN0naRRx3VMW7n6Gn:oNcSRTX76G
                              MD5:6D23CA5B932A39B404EAABECC2D3282E
                              SHA1:C403AB90DD6ACEF2299F0B1CC626A8E16793D11C
                              SHA-256:3CA34E26F5DB3A21563A5CE3FFA753ECFF055E9CF0759AC815CA01EDD2954561
                              SHA-512:CD10A79389291E31A57C0EC68848E44E0766DFE679C5E86FDEC4C85973C2B4F4E1661B1A82FC0970D19A196B2D5DE59C27ACB69542463CF984FAD6C3C8D4A388
                              Malicious:false
                              Reputation:unknown
                              Preview: C:\Users\user\Desktop\TR0398734893 50601251.exe
                              C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):693760
                              Entropy (8bit):7.310160824686315
                              Encrypted:false
                              SSDEEP:12288:BmsTtD00GPFzPtmeQzDYoO863iRWl91tMgTq:BmsTC0GNJmeQfYT3iRWf1yYq
                              MD5:F245CB3E4ECC54A0883371B525EB0BB1
                              SHA1:71FF34129913AC8A924A28C7523885F11CA44A1C
                              SHA-256:8371DAEC5ED076CAA1CFDAC1CE0AB350744DE7D71108AE5EFDA80E4C54AB1D0E
                              SHA-512:EDC01E12E62A2A127209E22D86BA647BEC26726CAF0C19ECF8F72C8D02277A6DF5FCA94E98C86377DCAC2C0C0A020F62FA59983AB959373E1F10D0F0C0A200B9
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 28%, Browse
                              • Antivirus: ReversingLabs, Detection: 24%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...OG.a..............0.............>0... ...@....@.. ....................................@................................../..O....@............................................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc..............................@..B................ 0......H.......xj..LG......k......(~..........................................b..}......}......(,.....*r..}......}.....r...p(,.....**...(3....*...|7...%(.....{....X(......|7...%(.....{....X(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*....0..A..........B...%...%...%...%..........%.r...p.%.rM..p.%.r[..p.(......+..*^..}.....(.......(.....*....0..,.......
                              C:\Users\user\AppData\Roaming\bLtzKqfzc.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:unknown
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\Documents\20211122\PowerShell_transcript.226533.DYqwUES1.20211122184236.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5825
                              Entropy (8bit):5.396902799265613
                              Encrypted:false
                              SSDEEP:96:BZi6/NaqDo1ZJZv6/NaqDo1ZEaMyjZK6/NaqDo1Z1TCC5Ze:8
                              MD5:F33207262F5C04CE12B6D75FF00124B7
                              SHA1:57097622FABDFC7810D70F2868496E62C9386306
                              SHA-256:C3995E9A0E243E0D6E579B1BAC4421A37E1900DC57B31A9FEA2B4577CC0380F4
                              SHA-512:F915154122F5E6653F4167A9E35E3727F1F3ACA24580319DF83A14998A490828532D28EE445E1ED5E7136BA221419F61F2C1FF6B90ADB066E227D968BA6CE38C
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20211122184238..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 226533 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\bLtzKqfzc.exe..Process ID: 6952..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211122184238..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\bLtzKqfzc.exe..**********************..Windows PowerShell transcript start..Start time: 20211122184550..Username: computer\user..RunAs User: DE

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.310160824686315
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:TR0398734893 50601251.exe
                              File size:693760
                              MD5:f245cb3e4ecc54a0883371b525eb0bb1
                              SHA1:71ff34129913ac8a924a28c7523885f11ca44a1c
                              SHA256:8371daec5ed076caa1cfdac1ce0ab350744de7d71108ae5efda80e4c54ab1d0e
                              SHA512:edc01e12e62a2a127209e22d86ba647bec26726caf0c19ecf8f72c8d02277a6df5fca94e98c86377dcac2c0c0a020f62fa59983ab959373e1f10d0f0c0a200b9
                              SSDEEP:12288:BmsTtD00GPFzPtmeQzDYoO863iRWl91tMgTq:BmsTC0GNJmeQfYT3iRWf1yYq
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...OG.a..............0.............>0... ...@....@.. ....................................@................................

                              File Icon

                              Icon Hash:d4d4d4d4d4c4d4d4

                              Static PE Info

                              General

                              Entrypoint:0x48303e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x619B474F [Mon Nov 22 07:31:27 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              aas
                              add byte ptr [eax], al
                              add byte ptr [esi], cl
                              add byte ptr [eax], al
                              add byte ptr [edx+08h], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x82fec0x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x27fe8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x810540x81200False0.846968023959data7.71324859014IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0x840000x27fe80x28000False0.066162109375data4.88686576028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xac0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x842800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                              RT_ICON0x94aa80x94a8data
                              RT_ICON0x9df500x5488data
                              RT_ICON0xa33d80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 255, next used block 4278190080
                              RT_ICON0xa76000x25a8data
                              RT_ICON0xa9ba80x10a8data
                              RT_ICON0xaac500x988data
                              RT_ICON0xab5d80x468GLS_BINARY_LSB_FIRST
                              RT_GROUP_ICON0xaba400x76data
                              RT_VERSION0xabab80x344data
                              RT_MANIFEST0xabdfc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightCopyright 2018
                              Assembly Version1.0.0.0
                              InternalNameScopeTr.exe
                              FileVersion1.0.0.0
                              CompanyName
                              LegalTrademarks
                              Comments
                              ProductNamePortalOverlapDetector
                              ProductVersion1.0.0.0
                              FileDescriptionPortalOverlapDetector
                              OriginalFilenameScopeTr.exe

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 22, 2021 18:42:56.264987946 CET497629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:42:56.289038897 CET929249762185.140.53.131192.168.2.7
                              Nov 22, 2021 18:42:56.952244043 CET497629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:42:56.976357937 CET929249762185.140.53.131192.168.2.7
                              Nov 22, 2021 18:42:57.561363935 CET497629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:42:57.585977077 CET929249762185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:02.951915979 CET497639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:02.977057934 CET929249763185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:03.561923027 CET497639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:03.588546991 CET929249763185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:04.265078068 CET497639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:04.292613983 CET929249763185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:09.275240898 CET497659292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:09.299293995 CET929249765185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:09.812411070 CET497659292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:09.836608887 CET929249765185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:10.343769073 CET497659292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:10.368030071 CET929249765185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:14.384462118 CET497699292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:14.409018040 CET929249769185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:14.969136953 CET497699292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:14.993705034 CET929249769185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:15.578519106 CET497699292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:15.603188038 CET929249769185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:19.625451088 CET497719292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:19.649784088 CET929249771185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:20.235312939 CET497719292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:20.259782076 CET929249771185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:20.829252958 CET497719292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:20.853341103 CET929249771185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:24.862373114 CET497749292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:24.886487961 CET929249774185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:25.438829899 CET497749292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:25.468293905 CET929249774185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:26.032625914 CET497749292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:26.056696892 CET929249774185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:31.006181955 CET497819292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:31.030275106 CET929249781185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:31.533024073 CET497819292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:31.557014942 CET929249781185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:32.064357042 CET497819292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:32.088397980 CET929249781185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:37.566045046 CET497839292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:37.590603113 CET929249783185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:38.158592939 CET497839292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:38.183608055 CET929249783185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:38.861836910 CET497839292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:38.886480093 CET929249783185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:43.287142038 CET497909292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:43.313277960 CET929249790185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:43.909112930 CET497909292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:43.932987928 CET929249790185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:44.612274885 CET497909292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:44.636317968 CET929249790185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:48.645354033 CET498149292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:48.669897079 CET929249814185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:49.362699032 CET498149292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:49.387068987 CET929249814185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:49.956582069 CET498149292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:49.981035948 CET929249814185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:54.008384943 CET498259292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:54.032459974 CET929249825185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:54.535037994 CET498259292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:54.559367895 CET929249825185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:55.066251993 CET498259292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:55.090214968 CET929249825185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:59.099176884 CET498279292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:59.123878002 CET929249827185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:59.629189014 CET498279292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:59.655045033 CET929249827185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:00.160480022 CET498279292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:00.184974909 CET929249827185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:04.983974934 CET498299292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:05.008469105 CET929249829185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:05.520273924 CET498299292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:05.544728994 CET929249829185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:06.067190886 CET498299292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:06.091680050 CET929249829185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:10.940007925 CET498399292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:10.964031935 CET929249839185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:11.473891973 CET498399292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:11.497879982 CET929249839185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:12.005242109 CET498399292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:12.029294968 CET929249839185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:16.435203075 CET498539292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:16.459328890 CET929249853185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:16.974375010 CET498539292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:17.000811100 CET929249853185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:17.505692959 CET498539292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:17.530899048 CET929249853185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:21.539437056 CET498579292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:21.563847065 CET929249857185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:22.068577051 CET498579292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:22.093142986 CET929249857185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:22.601186991 CET498579292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:22.629250050 CET929249857185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:26.648516893 CET498599292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:26.672760963 CET929249859185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:27.178472042 CET498599292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:27.203597069 CET929249859185.140.53.131192.168.2.7

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 22, 2021 18:42:56.064798117 CET5976253192.168.2.78.8.8.8
                              Nov 22, 2021 18:42:56.250201941 CET53597628.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:02.829432011 CET5432953192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:02.850032091 CET53543298.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:09.085760117 CET5805253192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:09.271630049 CET53580528.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:30.819693089 CET5078153192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:31.003617048 CET53507818.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:37.544235945 CET5491153192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:37.564265966 CET53549118.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:43.264965057 CET5086053192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:43.284579992 CET53508608.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:04.800498962 CET4924753192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:04.982683897 CET53492478.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:10.916512966 CET5228653192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:10.935914040 CET53522868.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:16.413800001 CET5606453192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:16.434004068 CET53560648.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:36.836651087 CET6145753192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:37.021974087 CET53614578.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:42.118063927 CET5836753192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:42.304447889 CET53583678.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:47.401452065 CET6059953192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:47.421081066 CET53605998.8.8.8192.168.2.7

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Nov 22, 2021 18:42:56.064798117 CET192.168.2.78.8.8.80x1739Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:02.829432011 CET192.168.2.78.8.8.80xdd3bStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:09.085760117 CET192.168.2.78.8.8.80x9f4bStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:30.819693089 CET192.168.2.78.8.8.80x825bStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:37.544235945 CET192.168.2.78.8.8.80xc074Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:43.264965057 CET192.168.2.78.8.8.80x41ddStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:04.800498962 CET192.168.2.78.8.8.80x2c58Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:10.916512966 CET192.168.2.78.8.8.80x3f66Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:16.413800001 CET192.168.2.78.8.8.80x9ff8Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:36.836651087 CET192.168.2.78.8.8.80xf7eaStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:42.118063927 CET192.168.2.78.8.8.80x4949Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:47.401452065 CET192.168.2.78.8.8.80x20ddStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Nov 22, 2021 18:42:56.250201941 CET8.8.8.8192.168.2.70x1739No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:02.850032091 CET8.8.8.8192.168.2.70xdd3bNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:09.271630049 CET8.8.8.8192.168.2.70x9f4bNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:31.003617048 CET8.8.8.8192.168.2.70x825bNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:37.564265966 CET8.8.8.8192.168.2.70xc074No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:43.284579992 CET8.8.8.8192.168.2.70x41ddNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:04.982683897 CET8.8.8.8192.168.2.70x2c58No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:10.935914040 CET8.8.8.8192.168.2.70x3f66No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:16.434004068 CET8.8.8.8192.168.2.70x9ff8No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:37.021974087 CET8.8.8.8192.168.2.70xf7eaNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:42.304447889 CET8.8.8.8192.168.2.70x4949No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:47.421081066 CET8.8.8.8192.168.2.70x20ddNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)

                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: TR0398734893 50601251.exe PID: 6612 Parent PID: 5368

                              General

                              Start time:18:42:23
                              Start date:22/11/2021
                              Path:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\TR0398734893 50601251.exe"
                              Imagebase:0xaa0000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: powershell.exe PID: 6952 Parent PID: 6612

                              General

                              Start time:18:42:35
                              Start date:22/11/2021
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
                              Imagebase:0x1110000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6960 Parent PID: 6952

                              General

                              Start time:18:42:35
                              Start date:22/11/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff774ee0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: schtasks.exe PID: 6968 Parent PID: 6612

                              General

                              Start time:18:42:36
                              Start date:22/11/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp
                              Imagebase:0xb00000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 7072 Parent PID: 6968

                              General

                              Start time:18:42:37
                              Start date:22/11/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff774ee0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: TR0398734893 50601251.exe PID: 4260 Parent PID: 6612

                              General

                              Start time:18:42:41
                              Start date:22/11/2021
                              Path:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              Imagebase:0xd80000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: schtasks.exe PID: 6648 Parent PID: 4260

                              General

                              Start time:18:42:48
                              Start date:22/11/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp
                              Imagebase:0xb00000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6600 Parent PID: 6648

                              General

                              Start time:18:42:49
                              Start date:22/11/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff774ee0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: TR0398734893 50601251.exe PID: 6488 Parent PID: 1104

                              General

                              Start time:18:42:49
                              Start date:22/11/2021
                              Path:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\TR0398734893 50601251.exe" 0
                              Imagebase:0x770000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: schtasks.exe PID: 6712 Parent PID: 4260

                              General

                              Start time:18:42:50
                              Start date:22/11/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp
                              Imagebase:0xb00000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6440 Parent PID: 6712

                              General

                              Start time:18:42:51
                              Start date:22/11/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff774ee0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 1104

                              General

                              Start time:18:42:52
                              Start date:22/11/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                              Imagebase:0x830000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000016.00000002.330253981.0000000002CD1000.00000004.00000001.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 28%, Virustotal, Browse
                              • Detection: 24%, ReversingLabs

                              Analysis Process: dhcpmon.exe PID: 3516 Parent PID: 3292

                              General

                              Start time:18:42:59
                              Start date:22/11/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                              Imagebase:0x750000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security

                              Disassembly

                              Code Analysis

                              Reset < >