Loading ...

Play interactive tourEdit tour

Windows Analysis Report AwgHpwrCpq.exe

Overview

General Information

Sample Name:AwgHpwrCpq.exe
Analysis ID:551610
MD5:525c479a4a2efc75301c47932e47a2a5
SHA1:86cae4789fb9ab6afaa368d1d7446b4edc6820d5
SHA256:64eb8c47b054d4cff298dff325c44cbedf6d4e42a7c950eab90656b4f384287a
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • AwgHpwrCpq.exe (PID: 5880 cmdline: "C:\Users\user\Desktop\AwgHpwrCpq.exe" MD5: 525C479A4A2EFC75301C47932E47A2A5)
    • powershell.exe (PID: 6684 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6672 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 3032 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 5372 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5094.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6840 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5F3B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 6868 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 4596 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6452 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "5ddb4cba-37cb-41bf-8dbf-b2a0e345", "Domain1": "nsayers4rm382.bounceme.net", "Domain2": "127.0.0.1", "Port": 2050, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.323861162.0000000003121000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x6e50d:$x1: NanoCore.ClientPluginHost
      • 0xa112d:$x1: NanoCore.ClientPluginHost
      • 0xd3b4d:$x1: NanoCore.ClientPluginHost
      • 0x6e54a:$x2: IClientNetworkHost
      • 0xa116a:$x2: IClientNetworkHost
      • 0xd3b8a:$x2: IClientNetworkHost
      • 0x7207d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0xa4c9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0xd76bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.0.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      8.0.RegSvcs.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      8.0.RegSvcs.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        8.0.RegSvcs.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.AwgHpwrCpq.exe.313f4f0.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 37 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3032, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3032, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\AwgHpwrCpq.exe" , ParentImage: C:\Users\user\Desktop\AwgHpwrCpq.exe, ParentProcessId: 5880, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3032
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\AwgHpwrCpq.exe" , ParentImage: C:\Users\user\Desktop\AwgHpwrCpq.exe, ParentProcessId: 5880, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp, ProcessId: 6672
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AwgHpwrCpq.exe" , ParentImage: C:\Users\user\Desktop\AwgHpwrCpq.exe, ParentProcessId: 5880, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe, ProcessId: 6684
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\AwgHpwrCpq.exe" , ParentImage: C:\Users\user\Desktop\AwgHpwrCpq.exe, ParentProcessId: 5880, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3032
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AwgHpwrCpq.exe" , ParentImage: C:\Users\user\Desktop\AwgHpwrCpq.exe, ParentProcessId: 5880, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe, ProcessId: 6684
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132864889188995764.6684.DefaultAppDomain.powershell

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3032, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3032, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 8.0.RegSvcs.exe.400000.1.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "5ddb4cba-37cb-41bf-8dbf-b2a0e345", "Domain1": "nsayers4rm382.bounceme.net", "Domain2": "127.0.0.1", "Port": 2050, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: AwgHpwrCpq.exeVirustotal: Detection: 31%Perma Link
          Source: AwgHpwrCpq.exeReversingLabs: Detection: 53%
          Antivirus detection for URL or domainShow sources
          Source: nsayers4rm382.bounceme.netAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\GVujWCI.exeReversingLabs: Detection: 53%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3032, type: MEMORYSTR
          Machine Learning detection for sampleShow sources
          Source: AwgHpwrCpq.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\GVujWCI.exeJoe Sandbox ML: detected
          Source: 8.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 8.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 8.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 8.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 8.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: AwgHpwrCpq.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: AwgHpwrCpq.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000014.00000002.353079045.00000000005E2000.00000002.00020000.sdmp, dhcpmon.exe.8.dr

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: nsayers4rm382.bounceme.net
          Source: Malware configuration extractorURLs: 127.0.0.1
          Source: Joe Sandbox ViewASN Name: RHC-HOSTINGGB RHC-HOSTINGGB
          Source: global trafficTCP traffic: 192.168.2.3:49750 -> 212.192.246.251:2050
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-u
          Source: AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comIta
          Source: AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compo(
          Source: AwgHpwrCpq.exe, 00000000.00000003.304045578.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304006371.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304078228.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304134112.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304160985.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304187538.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304104134.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304214918.000000000557D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000002.331640288.0000000005550000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.321800949.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: AwgHpwrCpq.exe, 00000000.00000003.304045578.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304078228.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304134112.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304160985.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304187538.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304104134.000000000557D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: AwgHpwrCpq.exe, 00000000.00000003.304045578.000000000557D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303977636.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303792528.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303820672.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303916405.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303756084.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303892323.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303870218.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303942793.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303847993.000000000557E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: AwgHpwrCpq.exe, 00000000.00000002.331640288.0000000005550000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.321800949.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com5
          Source: AwgHpwrCpq.exe, 00000000.00000002.331640288.0000000005550000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.321800949.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaF
          Source: AwgHpwrCpq.exe, 00000000.00000003.304028531.000000000555D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: AwgHpwrCpq.exe, 00000000.00000002.331640288.0000000005550000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.321800949.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiona
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: AwgHpwrCpq.exe, 00000000.00000003.299264423.0000000005559000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.299481948.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.299290052.000000000555E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: AwgHpwrCpq.exe, 00000000.00000003.299481948.0000000005552000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnW
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.306003560.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.306141043.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.305956424.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.305887538.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.306076996.000000000557D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
          Source: AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
          Source: AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
          Source: AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0CoF
          Source: AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
          Source: AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
          Source: AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/m
          Source: AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
          Source: AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.298005484.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: AwgHpwrCpq.exe, 00000000.00000003.298005484.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comez
          Source: AwgHpwrCpq.exe, 00000000.00000003.298005484.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comte;
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300268737.0000000005560000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.299682149.000000000558D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: AwgHpwrCpq.exe, 00000000.00000003.299682149.000000000558D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comX
          Source: AwgHpwrCpq.exe, 00000000.00000003.300343500.000000000555B000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300268737.0000000005560000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
          Source: AwgHpwrCpq.exe, 00000000.00000003.300268737.0000000005560000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
          Source: AwgHpwrCpq.exe, 00000000.00000003.300343500.000000000555B000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300268737.0000000005560000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comx
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: nsayers4rm382.bounceme.net

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3032, type: MEMORYSTR

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.3.RegSvcs.exe.3feff37.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.3.RegSvcs.exe.3feff37.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: RegSvcs.exe PID: 3032, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: RegSvcs.exe PID: 3032, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: AwgHpwrCpq.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.3.RegSvcs.exe.3feff37.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.3.RegSvcs.exe.3feff37.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.3.RegSvcs.exe.3feff37.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.3.RegSvcs.exe.3feff37.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: RegSvcs.exe PID: 3032, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: RegSvcs.exe PID: 3032, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_02DC7630
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_02DC73D0
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_02DC73C2
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_06B60006
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_06B60070
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_072307B6 NtQuerySystemInformation,
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_07230785 NtQuerySystemInformation,
          Source: AwgHpwrCpq.exe, 00000000.00000002.333189816.00000000073F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs AwgHpwrCpq.exe
          Source: AwgHpwrCpq.exe, 00000000.00000000.296365120.0000000000B0A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGC.exeD vs AwgHpwrCpq.exe
          Source: AwgHpwrCpq.exe, 00000000.00000002.327607042.0000000004324000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs AwgHpwrCpq.exe
          Source: AwgHpwrCpq.exeBinary or memory string: OriginalFilenameGC.exeD vs AwgHpwrCpq.exe
          Source: AwgHpwrCpq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: GVujWCI.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: AwgHpwrCpq.exeVirustotal: Detection: 31%
          Source: AwgHpwrCpq.exeReversingLabs: Detection: 53%
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeFile read: C:\Users\user\Desktop\AwgHpwrCpq.exeJump to behavior
          Source: AwgHpwrCpq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\AwgHpwrCpq.exe "C:\Users\user\Desktop\AwgHpwrCpq.exe"
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5094.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5F3B.tmp
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5094.tmp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5F3B.tmp
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_0723063A AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeCode function: 0_2_07230603 AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeFile created: C:\Users\user\AppData\Roaming\GVujWCI.exeJump to behavior
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8089.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@21/22@18/1
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: 8.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 8.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 8.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 8.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{5ddb4cba-37cb-41bf-8dbf-b2a0e34526eb}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMutant created: \Sessions\1\BaseNamedObjects\nRfvmNKbs
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: AwgHpwrCpq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: AwgHpwrCpq.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000014.00000002.353079045.00000000005E2000.00000002.00020000.sdmp, dhcpmon.exe.8.dr

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: AwgHpwrCpq.exe, ISymbolRead/IDispat.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: GVujWCI.exe.0.dr, ISymbolRead/IDispat.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.AwgHpwrCpq.exe.aa0000.0.unpack, ISymbolRead/IDispat.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.AwgHpwrCpq.exe.aa0000.0.unpack, ISymbolRead/IDispat.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.RegSvcs.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 13_2_01032884 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 13_2_010329A9 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 13_2_010327B5 push edi; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 13_2_01032835 push edi; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 13_2_01032879 push ecx; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_00DB299D push eax; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_00DB2878 push ecx; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_00DB26F1 push edi; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_00DB2829 push edi; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_00DB286D push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.94983265603
          Source: initial sampleStatic PE information: section name: .text entropy: 7.94983265603
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 8.0.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 8.0.RegSvcs.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 8.0.RegSvcs.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 8.0.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 8.0.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 8.0.RegSvcs.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 8.0.RegSvcs.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeFile created: C:\Users\user\AppData\Roaming\GVujWCI.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.313f4f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.31374e4.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.323861162.0000000003121000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.325745344.00000000031F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: AwgHpwrCpq.exe, 00000000.00000002.323861162.0000000003121000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000002.325745344.00000000031F7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: AwgHpwrCpq.exe, 00000000.00000002.323861162.0000000003121000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000002.325745344.00000000031F7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exe TID: 4608Thread sleep time: -39955s >= -30000s
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exe TID: 4600Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2952Thread sleep time: -4611686018427385s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5076Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6656Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7608
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 859
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 618
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 706
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeThread delayed: delay time: 39955
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: AwgHpwrCpq.exe, 00000000.00000002.325745344.00000000031F7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: AwgHpwrCpq.exe, 00000000.00000002.325745344.00000000031F7000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: AwgHpwrCpq.exe, 00000000.00000002.325745344.00000000031F7000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: AwgHpwrCpq.exe, 00000000.00000002.325745344.00000000031F7000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 737008
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5094.tmp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5F3B.tmp
          Source: RegSvcs.exe, 00000008.00000003.449199206.0000000005F9A000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000003.477001103.0000000005F9A000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000003.450932368.0000000005F9D000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000003.340900581.0000000000BFF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000003.357881823.0000000005FB1000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000003.358140355.0000000005FB1000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\AwgHpwrCpq.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3032, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: AwgHpwrCpq.exe, 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegSvcs.exe, 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegSvcs.exe, 00000008.00000003.348107135.0000000003FEF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.41b1fa0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.417f380.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AwgHpwrCpq.exe.417f380.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AwgHpwrCpq.exe PID: 5880, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3032, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Masquerading2OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection312Disable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection312LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 551610 Sample: AwgHpwrCpq.exe Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 14 other signatures 2->65 8 AwgHpwrCpq.exe 7 2->8         started        12 RegSvcs.exe 4 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 49 C:\Users\user\AppData\RoamingbehaviorgraphVujWCI.exe, PE32 8->49 dropped 51 C:\Users\user\...behaviorgraphVujWCI.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp8089.tmp, XML 8->53 dropped 55 C:\Users\user\AppData\...\AwgHpwrCpq.exe.log, ASCII 8->55 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 8->69 71 Writes to foreign memory regions 8->71 73 Allocates memory in foreign processes 8->73 75 2 other signatures 8->75 18 RegSvcs.exe 1 17 8->18         started        23 powershell.exe 25 8->23         started        25 schtasks.exe 1 8->25         started        27 conhost.exe 12->27         started        29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        signatures5 process6 dnsIp7 57 nsayers4rm382.bounceme.net 212.192.246.251, 2050, 49750, 49753 RHC-HOSTINGGB Russian Federation 18->57 45 C:\Users\user\AppData\Roaming\...\run.dat, data 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 33 schtasks.exe 1 18->33         started        35 schtasks.exe 1 18->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        file8 signatures9 process10 process11 41 conhost.exe 33->41         started        43 conhost.exe 35->43         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          AwgHpwrCpq.exe31%VirustotalBrowse
          AwgHpwrCpq.exe53%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          AwgHpwrCpq.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\GVujWCI.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
          C:\Users\user\AppData\Roaming\GVujWCI.exe53%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          8.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          8.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          8.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          8.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y0CoF0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnW0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.sajatypeworks.comte;0%Avira URL Cloudsafe
          http://www.fontbureau.comiona0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/50%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/m0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.fontbureau.com50%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          127.0.0.10%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
          nsayers4rm382.bounceme.net100%Avira URL Cloudmalware
          http://www.tiro.comslnt0%URL Reputationsafe
          http://www.tiro.comx0%Avira URL Cloudsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.compo(0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
          http://www.fontbureau.co0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/I0%URL Reputationsafe
          http://www.tiro.comlic0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.fontbureau.comaF0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.carterandcone.comIta0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/u0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
          http://www.carterandcone.com-u0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
          http://www.sajatypeworks.comez0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          nsayers4rm382.bounceme.net
          212.192.246.251
          truetrue
            unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            127.0.0.1true
            • Avira URL Cloud: safe
            unknown
            nsayers4rm382.bounceme.nettrue
            • Avira URL Cloud: malware
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.fontbureau.com/designersGAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designers/?AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                high
                http://www.founder.com.cn/cn/bTheAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.jiyu-kobo.co.jp/Y0CoFAwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.founder.com.cn/cnWAwgHpwrCpq.exe, 00000000.00000003.299481948.0000000005552000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers?AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                  high
                  http://www.tiro.comAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300268737.0000000005560000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.299682149.000000000558D000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designersAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000002.331640288.0000000005550000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.321800949.0000000005550000.00000004.00000001.sdmpfalse
                    high
                    http://www.goodfont.co.krAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.carterandcone.comAwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.sajatypeworks.comte;AwgHpwrCpq.exe, 00000000.00000003.298005484.000000000556B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://www.fontbureau.comionaAwgHpwrCpq.exe, 00000000.00000002.331640288.0000000005550000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.321800949.0000000005550000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.sajatypeworks.comAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.298005484.000000000556B000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.typography.netDAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cn/cTheAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/staff/dennis.htmAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.306003560.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.306141043.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.305956424.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.305887538.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.306076996.000000000557D000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://fontfabrik.comAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/5AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/jp/mAwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/DPleaseAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fonts.comAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                      high
                      http://www.sandoll.co.krAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com5AwgHpwrCpq.exe, 00000000.00000002.331640288.0000000005550000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.321800949.0000000005550000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.urwpp.deDPleaseAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.zhongyicts.com.cnAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.sakkal.comAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/ZAwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.apache.org/licenses/LICENSE-2.0AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                        high
                        http://www.fontbureau.comAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                          high
                          http://www.fontbureau.com/designers/cabarga.htmllAwgHpwrCpq.exe, 00000000.00000003.304045578.000000000557D000.00000004.00000001.sdmpfalse
                            high
                            http://www.tiro.comslntAwgHpwrCpq.exe, 00000000.00000003.300268737.0000000005560000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.tiro.comxAwgHpwrCpq.exe, 00000000.00000003.300343500.000000000555B000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300268737.0000000005560000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.carterandcone.comTCAwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.carterandcone.compo(AwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            http://www.jiyu-kobo.co.jp/PAwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.coAwgHpwrCpq.exe, 00000000.00000003.304045578.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304006371.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304078228.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304134112.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304160985.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304187538.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304104134.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304214918.000000000557D000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/IAwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.tiro.comlicAwgHpwrCpq.exe, 00000000.00000003.300343500.000000000555B000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300268737.0000000005560000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/jp/AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.comdAwgHpwrCpq.exe, 00000000.00000003.304028531.000000000555D000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.comaFAwgHpwrCpq.exe, 00000000.00000002.331640288.0000000005550000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.321800949.0000000005550000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.carterandcone.comlAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                              high
                              http://www.founder.com.cn/cnAwgHpwrCpq.exe, 00000000.00000003.299264423.0000000005559000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.299481948.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.299290052.000000000555E000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.comItaAwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlAwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303977636.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303792528.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303820672.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303916405.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303756084.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303892323.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303870218.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303942793.000000000557E000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.303847993.000000000557E000.00000004.00000001.sdmpfalse
                                high
                                http://www.jiyu-kobo.co.jp/uAwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.tiro.comXAwgHpwrCpq.exe, 00000000.00000003.299682149.000000000558D000.00000004.00000001.sdmpfalse
                                  unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlAwgHpwrCpq.exe, 00000000.00000003.304045578.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304078228.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304134112.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304160985.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304187538.000000000557D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.304104134.000000000557D000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/nAwgHpwrCpq.exe, 00000000.00000003.300641664.000000000555F000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.com-uAwgHpwrCpq.exe, 00000000.00000003.300382562.0000000005552000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.com/designers8AwgHpwrCpq.exe, 00000000.00000002.332164189.0000000006762000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.jiyu-kobo.co.jp/dAwgHpwrCpq.exe, 00000000.00000003.301207275.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300951364.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301079613.0000000005552000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.301550608.000000000555D000.00000004.00000001.sdmp, AwgHpwrCpq.exe, 00000000.00000003.300980786.000000000555F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.sajatypeworks.comezAwgHpwrCpq.exe, 00000000.00000003.298005484.000000000556B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      212.192.246.251
                                      nsayers4rm382.bounceme.netRussian Federation
                                      205220RHC-HOSTINGGBtrue

                                      General Information

                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                      Analysis ID:551610
                                      Start date:12.01.2022
                                      Start time:11:20:51
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 10m 12s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:AwgHpwrCpq.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:33
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@21/22@18/1
                                      EGA Information:
                                      • Successful, ratio: 75%
                                      HDC Information:
                                      • Successful, ratio: 4.9% (good quality ratio 3.8%)
                                      • Quality average: 54.6%
                                      • Quality standard deviation: 35.5%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • TCP Packets have been reduced to 100
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 184.30.21.144
                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, arc.msn.com
                                      • Execution Graph export aborted for target dhcpmon.exe, PID 4596 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      11:21:57API Interceptor1x Sleep call for process: AwgHpwrCpq.exe modified
                                      11:22:01API Interceptor35x Sleep call for process: powershell.exe modified
                                      11:22:07AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      11:22:09Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
                                      11:22:11Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                      11:22:11API Interceptor853x Sleep call for process: RegSvcs.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):3.7515815714465193
                                      Encrypted:false
                                      SSDEEP:384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
                                      MD5:71369277D09DA0830C8C59F9E22BB23A
                                      SHA1:37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
                                      SHA-256:D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                                      SHA-512:2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AwgHpwrCpq.exe.log
                                      Process:C:\Users\user\Desktop\AwgHpwrCpq.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):659
                                      Entropy (8bit):5.2661344468761735
                                      Encrypted:false
                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2U/N0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2U/Pz2T
                                      MD5:3C153E5BCCA87FF6E091634EE977299F
                                      SHA1:6DE85803E7FA00C03CE809243EB8162DF036430A
                                      SHA-256:F0705BDCE38ADB33CA8B414DDB85718985660BC73E0BE4439E0A94384A37797D
                                      SHA-512:54BDFFA72A0D4122B5B79B092D7E8C3213EB30AE2858188748E52ADD65ADE2F2F887892C06BB8ED790C19F1ED949176B9A9F0113679EF38B74387A189E6DC745
                                      Malicious:true
                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\aa840ffb0dd775d9eb8d66c8a8e8cdd9\System.Transactions.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):120
                                      Entropy (8bit):5.016405576253028
                                      Encrypted:false
                                      SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                      MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                      SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                      SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                      SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                      Malicious:false
                                      Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):120
                                      Entropy (8bit):5.016405576253028
                                      Encrypted:false
                                      SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                      MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                      SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                      SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                      SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                      Malicious:false
                                      Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):22284
                                      Entropy (8bit):5.602699341333266
                                      Encrypted:false
                                      SSDEEP:384:8tCDu+0QwVEdn1qj+ARwSBKnAjultI277Y9gtrSJ3xCT1MabZlbAV7cWMiiZBDIL:Bd1c64KACltJfxcQCqfwoPVA
                                      MD5:3048DF741C5E308B7020EB7B6CD49868
                                      SHA1:F55A0E9D4A4ABD132038ABF506A565C9AE56B20A
                                      SHA-256:380DB14C232149B962C830BA6150E76BFFE4D28945CBAA502539AB0DCAA346A6
                                      SHA-512:4776B63353BA66A4F0A17F129F8AA263937907A3AD83711D05D8E38ECEB684DEFEE7EF218EC12A311EAFE55E4B5A1E9E30381D17361622F646B98C7010977D41
                                      Malicious:false
                                      Preview: @...e...........|.......e.............B...B..........@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w2huebk.vkv.ps1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0xadrza.5l3.psm1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\tmp5094.tmp
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1320
                                      Entropy (8bit):5.135021273392143
                                      Encrypted:false
                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
                                      MD5:40B11EF601FB28F9B2E69D36857BF2EC
                                      SHA1:B6454020AD2CEED193F4792B77001D0BD741B370
                                      SHA-256:C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
                                      SHA-512:E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
                                      Malicious:false
                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                      C:\Users\user\AppData\Local\Temp\tmp5F3B.tmp
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1310
                                      Entropy (8bit):5.109425792877704
                                      Encrypted:false
                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                      MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                      SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                      SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                      SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                      Malicious:false
                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                      C:\Users\user\AppData\Local\Temp\tmp8089.tmp
                                      Process:C:\Users\user\Desktop\AwgHpwrCpq.exe
                                      File Type:XML 1.0 document, ASCII text
                                      Category:dropped
                                      Size (bytes):1594
                                      Entropy (8bit):5.154382393443975
                                      Encrypted:false
                                      SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtvjxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTvdv
                                      MD5:5C4F389D0002E4D3AE7B0B972078F1BE
                                      SHA1:D7106A2419FDADE9A606EBF3A58AE78A4171637D
                                      SHA-256:5F8BD13D347EF773E605204EA7A2E4AD37BCF2429B9A0F2A25C0F2151315BD30
                                      SHA-512:E2ABE78AE04EBBB8F74BC6F1157A41B99AAF1BC580EFD05D816B30FEE18D7FBA908CB52DD8AF931B00D651968AF435871D0FFA13CFB0096BC8F7CE82171AAC05
                                      Malicious:true
                                      Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):232
                                      Entropy (8bit):7.024371743172393
                                      Encrypted:false
                                      SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                      MD5:32D0AAE13696FF7F8AF33B2D22451028
                                      SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                      SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                      SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                      Malicious:false
                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):8
                                      Entropy (8bit):3.0
                                      Encrypted:false
                                      SSDEEP:3:Zul4:k4
                                      MD5:5280FF970A69A55B91D533321E2DD28B
                                      SHA1:A0F546E63C394B6D59DAD11407B0E3252280E5F1
                                      SHA-256:8CFBAB91928EC5070392C748EEE24E1F2C7113914D7A292C05E090733E3010EB
                                      SHA-512:664313D9D6D9B87FBC7F86BF2AFFFBEF0D966F3D71C09EAE0E4C7211CBAAFCE508F37B621D92B374EFF69E034E9D5FB0BB63FA6580070185EB1A3D4BFE243CF6
                                      Malicious:true
                                      Preview: .....H
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):24
                                      Entropy (8bit):4.584962500721156
                                      Encrypted:false
                                      SSDEEP:3:9bzY6oRDJoTBn:RzWDqTB
                                      MD5:3FCC766D28BFD974C68B38C27D0D7A9A
                                      SHA1:45ED19A78D9B79E46EDBFC3E3CA58E90423A676B
                                      SHA-256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
                                      SHA-512:C7D47BDAABEEBB8C9D9B31CC4CE968EAF291771762FA022A2F55F9BA4838E71FDBD3F83792709E47509C5D94629D6D274CC933371DC01560D13016D944012DA5
                                      Malicious:false
                                      Preview: 9iH...}Z.4..f.....l.d
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):40
                                      Entropy (8bit):5.221928094887364
                                      Encrypted:false
                                      SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                                      MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                                      SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                                      SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                                      SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                                      Malicious:false
                                      Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):426840
                                      Entropy (8bit):7.999608491116724
                                      Encrypted:true
                                      SSDEEP:12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
                                      MD5:963D5E2C9C0008DFF05518B47C367A7F
                                      SHA1:C183D601FABBC9AC8FBFA0A0937DECC677535E74
                                      SHA-256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
                                      SHA-512:0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
                                      Malicious:false
                                      Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):57
                                      Entropy (8bit):4.795707286467131
                                      Encrypted:false
                                      SSDEEP:3:oMty8WbSX/MNn:oMLWus
                                      MD5:D685103573539B7E9FDBF5F1D7DD96CE
                                      SHA1:4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
                                      SHA-256:D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
                                      SHA-512:17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
                                      Malicious:false
                                      Preview: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      C:\Users\user\AppData\Roaming\GVujWCI.exe
                                      Process:C:\Users\user\Desktop\AwgHpwrCpq.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):424448
                                      Entropy (8bit):7.940710439386542
                                      Encrypted:false
                                      SSDEEP:12288:de01WUknsn9cOCfDAw214ZcSWqFGHAHP07:80V9jCnPZcSDsS
                                      MD5:525C479A4A2EFC75301C47932E47A2A5
                                      SHA1:86CAE4789FB9AB6AFAA368D1D7446B4EDC6820D5
                                      SHA-256:64EB8C47B054D4CFF298DFF325C44CBEDF6D4E42A7C950EAB90656B4F384287A
                                      SHA-512:E075CC1C83B0935FD0FEF4BB1D1CCBBA16178CD8383EDF0378195BD60D2668DE37F265A2EDE70773AC89CE905530932050C3E487F28287073FCD7FEEB5A4C92E
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 53%
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..a.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........&...g...........C...............................................*".(.....*.~....*.......*>.(.....X(.....*>.(.....Y(.....*>#.......@.....*B.(........}....*..*r.r...p.{....o....(....(....z"..(....*..s....*B.(........}....*r.r...p.{....o....(....(....z.s)...*"..o*...*"..o+...*"..o,...*&...(-...*..o....*..o/...*..o0...*"..(1...*"..(2...*"..(3...*.s4...*"..o5...*"..o6...*"..o7...*..(8...*..o9...*..(:...*...}.....(@.......}......}.....(I....*>..(...........*..oT...*..oU...
                                      C:\Users\user\AppData\Roaming\GVujWCI.exe:Zone.Identifier
                                      Process:C:\Users\user\Desktop\AwgHpwrCpq.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview: [ZoneTransfer]....ZoneId=0
                                      C:\Users\user\Documents\20220112\PowerShell_transcript.035347.8FhJ5YXh.20220112112200.txt
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):5777
                                      Entropy (8bit):5.411163730512081
                                      Encrypted:false
                                      SSDEEP:96:BZHhaNnqDo1ZCZ8haNnqDo1ZuNpLRjZUhaNnqDo1ZachhgZn:p
                                      MD5:E9EF4996F33912C86BAA57CDD5936554
                                      SHA1:F74420353FF479B483E2164B24F6AF63D2C8B2CA
                                      SHA-256:11EB094D9ACF31768DB9B2C12A7ACA64F5D7964731AD162A78CA354BC586D392
                                      SHA-512:E3C1221CE1B7684452F632E349CFADD182BE326176D468A3BCE04E3A90996D4196C9F56C131A78B4C61533276D71E5BA4D99F042603C0BF924BCF92C42539842
                                      Malicious:false
                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220112112201..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 035347 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\GVujWCI.exe..Process ID: 6684..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220112112201..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\GVujWCI.exe..**********************..Windows PowerShell transcript start..Start time: 20220112112620..Username: computer\user..RunAs User: computer\user..Con
                                      \Device\ConDrv
                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1145
                                      Entropy (8bit):4.462201512373672
                                      Encrypted:false
                                      SSDEEP:24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
                                      MD5:46EBEB88876A00A52CC37B1F8E0D0438
                                      SHA1:5E5DB352F964E5F398301662FF558BD905798A65
                                      SHA-256:D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
                                      SHA-512:E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
                                      Malicious:false
                                      Preview: Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.940710439386542
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:AwgHpwrCpq.exe
                                      File size:424448
                                      MD5:525c479a4a2efc75301c47932e47a2a5
                                      SHA1:86cae4789fb9ab6afaa368d1d7446b4edc6820d5
                                      SHA256:64eb8c47b054d4cff298dff325c44cbedf6d4e42a7c950eab90656b4f384287a
                                      SHA512:e075cc1c83b0935fd0fef4bb1d1ccbba16178cd8383edf0378195bd60d2668de37f265a2ede70773ac89ce905530932050c3e487f28287073fcd7feeb5a4c92e
                                      SSDEEP:12288:de01WUknsn9cOCfDAw214ZcSWqFGHAHP07:80V9jCnPZcSDsS
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..a.................p............... ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x468efe
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x61DDDA58 [Tue Jan 11 19:28:24 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v2.0.50727
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x68ea40x57.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000x5c8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x66f040x67000False0.950512932342data7.94983265603IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rsrc0x6a0000x5c80x600False0.4296875data4.12496776962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x6c0000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0x6a0a00x338data
                                      RT_MANIFEST0x6a3d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      LegalCopyrightCopyright 2014
                                      Assembly Version1.0.0.0
                                      InternalNameGC.exe
                                      FileVersion1.0.0.0
                                      CompanyNameCaesar Hall
                                      LegalTrademarks
                                      Comments
                                      ProductNameAutomated Queries
                                      ProductVersion1.0.0.0
                                      FileDescriptionAutomated Queries
                                      OriginalFilenameGC.exe

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      01/12/22-11:22:12.188391UDP254DNS SPOOF query response with TTL of 1 min. and no authority53541548.8.8.8192.168.2.3
                                      01/12/22-11:22:25.426133UDP254DNS SPOOF query response with TTL of 1 min. and no authority53640218.8.8.8192.168.2.3
                                      01/12/22-11:22:31.749232UDP254DNS SPOOF query response with TTL of 1 min. and no authority53607848.8.8.8192.168.2.3
                                      01/12/22-11:22:35.982965UDP254DNS SPOOF query response with TTL of 1 min. and no authority53560098.8.8.8192.168.2.3
                                      01/12/22-11:22:55.429955UDP254DNS SPOOF query response with TTL of 1 min. and no authority53565278.8.8.8192.168.2.3
                                      01/12/22-11:23:32.056857UDP254DNS SPOOF query response with TTL of 1 min. and no authority53609828.8.8.8192.168.2.3
                                      01/12/22-11:23:44.375587UDP254DNS SPOOF query response with TTL of 1 min. and no authority53643678.8.8.8192.168.2.3
                                      01/12/22-11:23:50.287118UDP254DNS SPOOF query response with TTL of 1 min. and no authority53553938.8.8.8192.168.2.3

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 12, 2022 11:22:12.205579996 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.232214928 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:12.232445002 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.429037094 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.480348110 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:12.480535030 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.559320927 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:12.562521935 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.590392113 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:12.590559959 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.668531895 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:12.668659925 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.745827913 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:12.782213926 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.871252060 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:12.871336937 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:12.964359999 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:12.997725964 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.011174917 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.011214018 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.011235952 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.011257887 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.011338949 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.011389017 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.039541006 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.039577961 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.039601088 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.039629936 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.039653063 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.039678097 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.039702892 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.039724112 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.039730072 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.039804935 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.065803051 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.065841913 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.065879107 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.065901995 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.065923929 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.065946102 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.065967083 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.065980911 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.065989971 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.066014051 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.066036940 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.066044092 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.066059113 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.066077948 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.066083908 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.066107988 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.066129923 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.066139936 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.066152096 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.066171885 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092382908 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092427969 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092453957 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092479944 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092504025 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092528105 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092551947 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092576981 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092582941 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092602015 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092624903 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092643976 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092647076 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092668056 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092675924 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092689037 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092705965 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092709064 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092725992 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092730045 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092751026 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092771053 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092772961 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092791080 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092811108 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092811108 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092833996 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092858076 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092865944 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092883110 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092901945 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092905998 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092931032 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092953920 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.092957020 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.092976093 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.093003988 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.120625973 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.120665073 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.120683908 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.120702982 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.120728016 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.120732069 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.120748043 CET205049750212.192.246.251192.168.2.3
                                      Jan 12, 2022 11:22:13.120757103 CET497502050192.168.2.3212.192.246.251
                                      Jan 12, 2022 11:22:13.120770931 CET205049750212.192.246.251192.168.2.3

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 12, 2022 11:22:12.161359072 CET5415453192.168.2.38.8.8.8
                                      Jan 12, 2022 11:22:12.188390970 CET53541548.8.8.8192.168.2.3
                                      Jan 12, 2022 11:22:19.231903076 CET5391053192.168.2.38.8.8.8
                                      Jan 12, 2022 11:22:19.250627995 CET53539108.8.8.8192.168.2.3
                                      Jan 12, 2022 11:22:25.407443047 CET6402153192.168.2.38.8.8.8
                                      Jan 12, 2022 11:22:25.426132917 CET53640218.8.8.8192.168.2.3
                                      Jan 12, 2022 11:22:31.729120970 CET6078453192.168.2.38.8.8.8
                                      Jan 12, 2022 11:22:31.749232054 CET53607848.8.8.8192.168.2.3
                                      Jan 12, 2022 11:22:35.964356899 CET5600953192.168.2.38.8.8.8
                                      Jan 12, 2022 11:22:35.982964993 CET53560098.8.8.8192.168.2.3
                                      Jan 12, 2022 11:22:42.197701931 CET4957253192.168.2.38.8.8.8
                                      Jan 12, 2022 11:22:42.214799881 CET53495728.8.8.8192.168.2.3
                                      Jan 12, 2022 11:22:49.334059000 CET5213053192.168.2.38.8.8.8
                                      Jan 12, 2022 11:22:49.352694988 CET53521308.8.8.8192.168.2.3
                                      Jan 12, 2022 11:22:55.409388065 CET5652753192.168.2.38.8.8.8
                                      Jan 12, 2022 11:22:55.429955006 CET53565278.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:02.695000887 CET5265053192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:02.713709116 CET53526508.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:08.890692949 CET5836153192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:08.909431934 CET53583618.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:15.301031113 CET5361553192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:15.317915916 CET53536158.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:19.763973951 CET5710653192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:19.780353069 CET53571068.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:26.136761904 CET5677353192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:26.153578043 CET53567738.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:32.038373947 CET6098253192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:32.056857109 CET53609828.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:38.367472887 CET5805853192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:38.386100054 CET53580588.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:44.354976892 CET6436753192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:44.375586987 CET53643678.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:50.266763926 CET5539353192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:50.287117958 CET53553938.8.8.8192.168.2.3
                                      Jan 12, 2022 11:23:56.324898005 CET5058553192.168.2.38.8.8.8
                                      Jan 12, 2022 11:23:56.343398094 CET53505858.8.8.8192.168.2.3

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Jan 12, 2022 11:22:12.161359072 CET192.168.2.38.8.8.80x8792Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:19.231903076 CET192.168.2.38.8.8.80x8b94Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:25.407443047 CET192.168.2.38.8.8.80xe63bStandard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:31.729120970 CET192.168.2.38.8.8.80x4261Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:35.964356899 CET192.168.2.38.8.8.80xa978Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:42.197701931 CET192.168.2.38.8.8.80xa1dStandard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:49.334059000 CET192.168.2.38.8.8.80xb61fStandard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:55.409388065 CET192.168.2.38.8.8.80xb599Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:02.695000887 CET192.168.2.38.8.8.80xa741Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:08.890692949 CET192.168.2.38.8.8.80x8094Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:15.301031113 CET192.168.2.38.8.8.80x4a21Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:19.763973951 CET192.168.2.38.8.8.80xc2fStandard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:26.136761904 CET192.168.2.38.8.8.80x30b0Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:32.038373947 CET192.168.2.38.8.8.80x4df0Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:38.367472887 CET192.168.2.38.8.8.80xbb73Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:44.354976892 CET192.168.2.38.8.8.80x8668Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:50.266763926 CET192.168.2.38.8.8.80x1aa0Standard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:56.324898005 CET192.168.2.38.8.8.80x477cStandard query (0)nsayers4rm382.bounceme.netA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Jan 12, 2022 11:22:12.188390970 CET8.8.8.8192.168.2.30x8792No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:19.250627995 CET8.8.8.8192.168.2.30x8b94No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:25.426132917 CET8.8.8.8192.168.2.30xe63bNo error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:31.749232054 CET8.8.8.8192.168.2.30x4261No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:35.982964993 CET8.8.8.8192.168.2.30xa978No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:42.214799881 CET8.8.8.8192.168.2.30xa1dNo error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:49.352694988 CET8.8.8.8192.168.2.30xb61fNo error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:22:55.429955006 CET8.8.8.8192.168.2.30xb599No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:02.713709116 CET8.8.8.8192.168.2.30xa741No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:08.909431934 CET8.8.8.8192.168.2.30x8094No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:15.317915916 CET8.8.8.8192.168.2.30x4a21No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:19.780353069 CET8.8.8.8192.168.2.30xc2fNo error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:26.153578043 CET8.8.8.8192.168.2.30x30b0No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:32.056857109 CET8.8.8.8192.168.2.30x4df0No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:38.386100054 CET8.8.8.8192.168.2.30xbb73No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:44.375586987 CET8.8.8.8192.168.2.30x8668No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:50.287117958 CET8.8.8.8192.168.2.30x1aa0No error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)
                                      Jan 12, 2022 11:23:56.343398094 CET8.8.8.8192.168.2.30x477cNo error (0)nsayers4rm382.bounceme.net212.192.246.251A (IP address)IN (0x0001)

                                      Code Manipulations

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Start time:11:21:50
                                      Start date:12/01/2022
                                      Path:C:\Users\user\Desktop\AwgHpwrCpq.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\AwgHpwrCpq.exe"
                                      Imagebase:0xaa0000
                                      File size:424448 bytes
                                      MD5 hash:525C479A4A2EFC75301C47932E47A2A5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.323861162.0000000003121000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.325988757.0000000004121000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.325745344.00000000031F7000.00000004.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Start time:11:21:58
                                      Start date:12/01/2022
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GVujWCI.exe
                                      Imagebase:0x100000
                                      File size:430592 bytes
                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      General

                                      Start time:11:21:59
                                      Start date:12/01/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7f20f0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:11:21:59
                                      Start date:12/01/2022
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GVujWCI" /XML "C:\Users\user\AppData\Local\Temp\tmp8089.tmp
                                      Imagebase:0xf0000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:11:22:00
                                      Start date:12/01/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7f20f0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:11:22:01
                                      Start date:12/01/2022
                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      Imagebase:0x520000
                                      File size:32768 bytes
                                      MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 00000008.00000000.320538954.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 00000008.00000000.321133784.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 00000008.00000000.319827397.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 00000008.00000000.320126344.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      Reputation:moderate

                                      General

                                      Start time:11:22:05
                                      Start date:12/01/2022
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5094.tmp
                                      Imagebase:0xf0000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:11:22:07
                                      Start date:12/01/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff70d6e0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:11:22:09
                                      Start date:12/01/2022
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5F3B.tmp
                                      Imagebase:0xf0000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:11:22:09
                                      Start date:12/01/2022
                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
                                      Imagebase:0xa80000
                                      File size:32768 bytes
                                      MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET

                                      General

                                      Start time:11:22:09
                                      Start date:12/01/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7f20f0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Start time:11:22:10
                                      Start date:12/01/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7f20f0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Start time:11:22:11
                                      Start date:12/01/2022
                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                      Imagebase:0x450000
                                      File size:32768 bytes
                                      MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Antivirus matches:
                                      • Detection: 0%, Metadefender, Browse
                                      • Detection: 0%, ReversingLabs

                                      General

                                      Start time:11:22:12
                                      Start date:12/01/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7f20f0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language

                                      General

                                      Start time:11:22:16
                                      Start date:12/01/2022
                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                      Imagebase:0x5e0000
                                      File size:32768 bytes
                                      MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET

                                      General

                                      Start time:11:22:16
                                      Start date:12/01/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7f20f0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Disassembly

                                      Code Analysis

                                      Reset < >