Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ozT6Kif37P9Trrb.exe

Overview

General Information

Sample Name:ozT6Kif37P9Trrb.exe
Analysis ID:553225
MD5:0e66d7d3cea736262ae210aaaa00eeb5
SHA1:94393bb0ad4eeb3f818e34f57395642920920bb8
SHA256:52c280a9e1df79b39d176d673ebda000c46d89eab1477eae5b1a62f4ab8373bb
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

  • System is w10x64
  • ozT6Kif37P9Trrb.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" MD5: 0E66D7D3CEA736262AE210AAAA00EEB5)
    • powershell.exe (PID: 5996 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5528 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 1852 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • schtasks.exe (PID: 6780 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6928 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 6852 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5048 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5324 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fea2b910-0578-480b-a4fe-76b7fc47", "Group": "Phaddy", "Domain1": "obeyice4rm392.bounceme.net", "Domain2": "127.0.0.1", "Port": 8951, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.0.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      9.0.RegSvcs.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      9.0.RegSvcs.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        9.0.RegSvcs.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.ozT6Kif37P9Trrb.exe.2f37814.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 31 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp, ProcessId: 5528
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, ProcessId: 5996
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, ProcessId: 5996
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866390590775293.5996.DefaultAppDomain.powershell

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 9.0.RegSvcs.exe.400000.3.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fea2b910-0578-480b-a4fe-76b7fc47", "Group": "Phaddy", "Domain1": "obeyice4rm392.bounceme.net", "Domain2": "127.0.0.1", "Port": 8951, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Antivirus detection for URL or domainShow sources
          Source: obeyice4rm392.bounceme.netAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: obeyice4rm392.bounceme.netVirustotal: Detection: 8%Perma Link
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTR
          Machine Learning detection for sampleShow sources
          Source: ozT6Kif37P9Trrb.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\cVaRnofAle.exeJoe Sandbox ML: detected
          Source: 9.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: ozT6Kif37P9Trrb.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: ozT6Kif37P9Trrb.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: PrincipalPoli.pdbX source: ozT6Kif37P9Trrb.exe, cVaRnofAle.exe.0.dr
          Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000012.00000002.720535439.00000000006C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000015.00000002.727526357.0000000000472000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
          Source: Binary string: PrincipalPoli.pdb source: ozT6Kif37P9Trrb.exe, cVaRnofAle.exe.0.dr
          Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000015.00000002.727526357.0000000000472000.00000002.00020000.sdmp, dhcpmon.exe.9.dr

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49801 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49808 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49814 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49816 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49839 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49840 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49842 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49846 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49847 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49848 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49849 -> 103.153.78.234:8951
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: obeyice4rm392.bounceme.net
          Source: Malware configuration extractorURLs: 127.0.0.1
          Source: Joe Sandbox ViewASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK
          Source: global trafficTCP traffic: 192.168.2.4:49766 -> 103.153.78.234:8951
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.WT
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.674273693.0000000005E1D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.676299635.0000000005E1D000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.676356782.0000000005E1D000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.676241303.0000000005E1D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669768390.0000000005DE4000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669873038.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669801024.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669839912.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669746478.0000000005DE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669768390.0000000005DE4000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669873038.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669801024.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669839912.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669746478.0000000005DE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-r
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.678112968.0000000005E17000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.678175914.0000000005E17000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: unknownDNS traffic detected: queries for: obeyice4rm392.bounceme.net

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTR

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: ozT6Kif37P9Trrb.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeCode function: 0_2_090D10A5
          Source: ozT6Kif37P9Trrb.exeBinary or memory string: OriginalFilename vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702006358.0000000000AD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePrincipalPoli.exe0 vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706836015.0000000008E80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exeBinary or memory string: OriginalFilenamePrincipalPoli.exe0 vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: cVaRnofAle.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile read: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeJump to behavior
          Source: ozT6Kif37P9Trrb.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe"
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile created: C:\Users\user\AppData\Roaming\cVaRnofAle.exeJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1CD0.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@21/22@16/2
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMutant created: \Sessions\1\BaseNamedObjects\maZUnAb
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:588:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fea2b910-0578-480b-a4fe-76b7fc47c575}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: ozT6Kif37P9Trrb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ozT6Kif37P9Trrb.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: ozT6Kif37P9Trrb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: PrincipalPoli.pdbX source: ozT6Kif37P9Trrb.exe, cVaRnofAle.exe.0.dr
          Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000012.00000002.720535439.00000000006C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000015.00000002.727526357.0000000000472000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
          Source: Binary string: PrincipalPoli.pdb source: ozT6Kif37P9Trrb.exe, cVaRnofAle.exe.0.dr
          Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000015.00000002.727526357.0000000000472000.00000002.00020000.sdmp, dhcpmon.exe.9.dr

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: ozT6Kif37P9Trrb.exe, yA/L2.cs.Net Code: XY System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: cVaRnofAle.exe.0.dr, yA/L2.cs.Net Code: XY System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.ozT6Kif37P9Trrb.exe.ad0000.0.unpack, yA/L2.cs.Net Code: XY System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.ozT6Kif37P9Trrb.exe.ad0000.0.unpack, yA/L2.cs.Net Code: XY System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: ozT6Kif37P9Trrb.exe, yA/L2.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable283, null, null)
          Source: cVaRnofAle.exe.0.dr, yA/L2.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable283, null, null)
          Source: 0.2.ozT6Kif37P9Trrb.exe.ad0000.0.unpack, yA/L2.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable283, null, null)
          Source: 0.0.ozT6Kif37P9Trrb.exe.ad0000.0.unpack, yA/L2.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable283, null, null)
          Source: initial sampleStatic PE information: section name: .text entropy: 7.20366769092
          Source: initial sampleStatic PE information: section name: .text entropy: 7.20366769092
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile created: C:\Users\user\AppData\Roaming\cVaRnofAle.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.2f37814.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.2f2f808.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe TID: 7108Thread sleep time: -40611s >= -30000s
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe TID: 7148Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5572Thread sleep time: -7378697629483816s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6500Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4184Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6243
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2377
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4182
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5286
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 695
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeCode function: 0_2_00AD573E sgdt fword ptr [eax]
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeThread delayed: delay time: 40611
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: cVaRnofAle.exe.0.drBinary or memory string: PrincipalPoliCompilationRelaxationsAttributeSystem.Runtime.CompilerServicesmscorlib.ctorVoidSystemInt32BooleanRuntimeCompatibilityAttributeDebuggableAttributeSystem.DiagnosticsDebuggingModesAssemblyTitleAttributeSystem.ReflectionStringAssemblyDescriptionAttributeAssemblyConfigurationAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeAssemblyFileVersionAttributeTargetFrameworkAttributeSystem.Runtime.VersioningPrincipalPoli.exe<Module>MXxLObjectdjk9pqWGEnumL2yAFormSystem.Windows.FormsUekDt6iJUmypnRCnVMcIResourcesBlaster.PropertiesSettingsApplicationSettingsBaseSystem.ConfigurationJZcUqSkWOQhbgylhwtrPDVnEeCuvC5uONullable`1 ToStringConcatget_HasValueEmptyget_ValueFormatIsNullOrEmptyInvalidEnumArgumentExceptionSystem.ComponentModeloZQWvalue__Y3v1cBsKIContainers0TypeKlSplitContainerguListBoxn7ButtonXTKsowecHrLabelkiVadxt8hHSzcX4TextBoxuXXRXLLXjComboBoxqX9EXqTXGget_ItemsObjectCollectionAddListControlset_SelectedIndexEventArgsClearget_SelectedItemControlset_EnabledTrimTryParseget_Countget_Itemget_Textget_SelectedIndexRemoveAtExceptionParseMessageBoxShowDialogResultget_MessageFormatExceptionsfzgOdukGetTypeFromHandleRuntimeTypeHandleop_EqualityGetTypeDisposeIDisposableSNList`1System.Collections.GenericByteBitmapSystem.DrawingColorPointset_Locationset_NameSizeset_Sizeset_TabIndexset_AnchorAnchorStylesButtonBaseset_UseVisualStyleBackColorset_AutoSizeGetPixelset_Textget_Panel2SplitterPanelget_ControlsControlCollectionEventHandlerIntPtradd_Clickget_Panel1ResumeLayoutPerformLayoutLateBindingMicrosoft.VisualBasic.CompilerServicesMicrosoft.VisualBasicLateGetadd_SelectedIndexChangedContainerControlset_AutoScaleModeAutoScaleModeset_ClientSizeSizeFSingleset_AutoScaleDimensionsSuspendLayoutColorTranslatorToWin32LateCallset_FormattingEnabledToArrayset_DockDockStyleset_SplitterDistancefFAssemblyXYLoadKoGetTypessHl1uXACX2ComponentResourceManagerResourceManagerSystem.ResourcesGetObjectIconset_IcondMGcCX6jXJrXmBXpvXeCloseJXDIhRXvXnmXMdXokX3eXRpKMnGXyfXhQXtzXIsXZArgumentOutOfRangeExceptionKXUNXSWXWUXQEnumeratorGetEnumeratorget_CurrentMoveNextUXblSAveXPApplicationSetCompatibleTextRenderingDefaultRunEnableVisualStylessqm9hXkfXNCultureInfoSystem.GlobalizationqXVget_AssemblyQXCiXvjXOTXgIpGedXEVX5defaultInstanceget_Default.cctorSettingsBaseSynchronizedtVPDDefaultArgumentExceptionPEJdLjsbpRntjwXgxYEBp3HLsxMfn4yA.L2.resourceskD.Ue.resourcesiJ.t6.resourcesBlaster.Properties.Resources.resourcesCompilerGeneratedAttributeDebuggerBrowsableAttributeDebuggerBrowsableStateSTAThreadAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDebuggerNonUserCodeAttributeEditorBrowsableAttributeEditorBrowsableState
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8D8008
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegSvcs.exe, 00000009.00000003.738687606.00000000063A1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegSvcs.exe, 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection211Masquerading2OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection211NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553225 Sample: ozT6Kif37P9Trrb.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 58 obeyice4rm392.bounceme.net 2->58 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 15 other signatures 2->70 9 ozT6Kif37P9Trrb.exe 7 2->9         started        13 RegSvcs.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\cVaRnofAle.exe, PE32 9->50 dropped 52 C:\Users\...\cVaRnofAle.exe:Zone.Identifier, ASCII 9->52 dropped 54 C:\Users\user\AppData\Local\...\tmp1CD0.tmp, XML 9->54 dropped 56 C:\Users\user\...\ozT6Kif37P9Trrb.exe.log, ASCII 9->56 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 9->74 76 Writes to foreign memory regions 9->76 78 Adds a directory exclusion to Windows Defender 9->78 80 Injects a PE file into a foreign processes 9->80 19 RegSvcs.exe 1 15 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        signatures6 process7 dnsIp8 60 obeyice4rm392.bounceme.net 103.153.78.234, 49766, 49769, 49770 TWIDC-AS-APTWIDCLimitedHK unknown 19->60 62 192.168.2.1 unknown unknown 19->62 46 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->46 dropped 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->48 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->72 34 schtasks.exe 1 19->34         started        36 schtasks.exe 19->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        file9 signatures10 process11 process12 42 conhost.exe 34->42         started        44 conhost.exe 36->44         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ozT6Kif37P9Trrb.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\cVaRnofAle.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          SourceDetectionScannerLabelLink
          obeyice4rm392.bounceme.net9%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.carterandcone.como.WT0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnu-r0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cno.0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          obeyice4rm392.bounceme.net100%Avira URL Cloudmalware
          127.0.0.10%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          obeyice4rm392.bounceme.net
          		103.153.78.234
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          obeyice4rm392.bounceme.nettrue
          • Avira URL Cloud: malware
          		unknown
          127.0.0.1true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                		high
                http://www.galapagosdesign.com/ozT6Kif37P9Trrb.exe, 00000000.00000003.678112968.0000000005E17000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.678175914.0000000005E17000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/?ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.carterandcone.como.WTozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cnu-rozT6Kif37P9Trrb.exe, 00000000.00000003.669768390.0000000005DE4000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669873038.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669801024.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669839912.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669746478.0000000005DE4000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tiro.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cTheozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnozT6Kif37P9Trrb.exe, 00000000.00000003.669768390.0000000005DE4000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669873038.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669801024.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669839912.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669746478.0000000005DE4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/cabarga.htmlozT6Kif37P9Trrb.exe, 00000000.00000003.676299635.0000000005E1D000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.676356782.0000000005E1D000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.676241303.0000000005E1D000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cno.ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameozT6Kif37P9Trrb.exe, 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sakkal.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/ozT6Kif37P9Trrb.exe, 00000000.00000003.674273693.0000000005E1D000.00000004.00000001.sdmpfalse
                                    		high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    103.153.78.234
                                    		obeyice4rm392.bounceme.netunknown
                                    		134687TWIDC-AS-APTWIDCLimitedHKtrue

                                    Private

                                    IP
                                    192.168.2.1

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:553225
                                    Start date:14.01.2022
                                    Start time:14:03:12
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 10m 18s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:ozT6Kif37P9Trrb.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:31
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@21/22@16/2
                                    EGA Information:
                                    • Successful, ratio: 75%
                                    HDC Information:
                                    • Successful, ratio: 1.2% (good quality ratio 0.7%)
                                    • Quality average: 44.3%
                                    • Quality standard deviation: 41%
                                    HCA Information:
                                    • Successful, ratio: 98%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • TCP Packets have been reduced to 100
                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 204.79.197.222
                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fp.msedge.net, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, a-0019.standard.a-msedge.net, store-images.s-microsoft.com-c.edgekey.net, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                    • Execution Graph export aborted for target dhcpmon.exe, PID 5324 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    14:04:17API Interceptor1x Sleep call for process: ozT6Kif37P9Trrb.exe modified
                                    14:04:21API Interceptor31x Sleep call for process: powershell.exe modified
                                    14:04:28AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    14:04:30Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
                                    14:04:32API Interceptor899x Sleep call for process: RegSvcs.exe modified
                                    14:04:33Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASN

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):45152
                                    Entropy (8bit):6.149629800481177
                                    Encrypted:false
                                    SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                    MD5:2867A3817C9245F7CF518524DFD18F28
                                    SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                    SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                    SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):142
                                    Entropy (8bit):5.090621108356562
                                    Encrypted:false
                                    SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                    MD5:8C0458BB9EA02D50565175E38D577E35
                                    SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                    SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                    SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                    Malicious:false
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):142
                                    Entropy (8bit):5.090621108356562
                                    Encrypted:false
                                    SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                    MD5:8C0458BB9EA02D50565175E38D577E35
                                    SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                    SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                    SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                    Malicious:false
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ozT6Kif37P9Trrb.exe.log
                                    Process:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):1310
                                    Entropy (8bit):5.345651901398759
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                    MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                    SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                    SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                    SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                    Malicious:true
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):22276
                                    Entropy (8bit):5.602982212251498
                                    Encrypted:false
                                    SSDEEP:384:WtCDLq0ct1C409bCluOMSBKnYjultI+H7Y9gtSJ3xeT1MaXZlbAV7S/WXl0ZBDIX:Wy4YoM4KYClthTtc8C+fw2dVM
                                    MD5:E48EE2F327D6D65807AC8D4E4FFDE94A
                                    SHA1:01B9235FBEFEC382A4F15D5F5F52AFBD087515B5
                                    SHA-256:6F50352062E59D9EF57C36395B4A70AE6C16CCB0E7288834E2D696F0B901E9F9
                                    SHA-512:790ACF09BA79DAC1107F7EA42CF274F1FFD06695D09632C0461E1EE5AFE2E5668CAC3A194AD376A802F7239D462017011C3A2F8A0DD86EC46ABA48078953BF4A
                                    Malicious:false
                                    Preview: @...e...........y.......h...M.D.A.....c...G..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxiz0fo4.txt.ps1
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview: 1
                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkw55tcl.b0c.psm1
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview: 1
                                    C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp
                                    Process:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1597
                                    Entropy (8bit):5.132922205599041
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaqxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTLv
                                    MD5:1A4C3C0E87FFF635CEE22780816C7938
                                    SHA1:A6EFD35A27CF4ED80F159EE5D03B19F329AAAE14
                                    SHA-256:DB8510C86B8908ACF4A931082ADB39F850141E71EE90FD34E2607C5ACA8749B9
                                    SHA-512:641D68C02E56A2EF750DA17F7B01268B2A20D9FB583C2375CFDD939B6A2BDFB74D392E4A50C05374ABB103B719204E3809B5BBC90B694B0CA78227E8DA31B107
                                    Malicious:true
                                    Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                    C:\Users\user\AppData\Local\Temp\tmp732D.tmp
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1320
                                    Entropy (8bit):5.135668813522653
                                    Encrypted:false
                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
                                    MD5:8CAD1B41587CED0F1E74396794F31D58
                                    SHA1:11054BF74FCF5E8E412768035E4DAE43AA7B710F
                                    SHA-256:3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
                                    SHA-512:99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                    C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1310
                                    Entropy (8bit):5.109425792877704
                                    Encrypted:false
                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                    MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                    SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                    SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                    SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):232
                                    Entropy (8bit):7.024371743172393
                                    Encrypted:false
                                    SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                    MD5:32D0AAE13696FF7F8AF33B2D22451028
                                    SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                    SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                    SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                    Malicious:false
                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:Non-ISO extended-ASCII text, with NEL line terminators
                                    Category:dropped
                                    Size (bytes):8
                                    Entropy (8bit):3.0
                                    Encrypted:false
                                    SSDEEP:3:5J:5J
                                    MD5:31921F42DD1487F93B67C5642C1D0A6E
                                    SHA1:2464C7570EAF9F049929E0D550381D8FCA678996
                                    SHA-256:78EA0D76D709074FB94BF5046B858EAA3382C161738BC13B06915B1BFDF52E98
                                    SHA-512:1309E6986901275B110AEA7DCA2779B1DEFA32B73CF3EDF20434598522A8DD8CE96B7407FEF98E831CFFDC266A624AC86A435A5E5B93D4770C4F6272EC28B61C
                                    Malicious:true
                                    Preview: ..Le^..H
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):24
                                    Entropy (8bit):4.584962500721156
                                    Encrypted:false
                                    SSDEEP:3:9bzY6oRDJoTBn:RzWDqTB
                                    MD5:3FCC766D28BFD974C68B38C27D0D7A9A
                                    SHA1:45ED19A78D9B79E46EDBFC3E3CA58E90423A676B
                                    SHA-256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
                                    SHA-512:C7D47BDAABEEBB8C9D9B31CC4CE968EAF291771762FA022A2F55F9BA4838E71FDBD3F83792709E47509C5D94629D6D274CC933371DC01560D13016D944012DA5
                                    Malicious:false
                                    Preview: 9iH...}Z.4..f.....l.d
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40
                                    Entropy (8bit):5.221928094887364
                                    Encrypted:false
                                    SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                                    MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                                    SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                                    SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                                    SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                                    Malicious:false
                                    Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):327432
                                    Entropy (8bit):7.99938831605763
                                    Encrypted:true
                                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                    Malicious:false
                                    Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):57
                                    Entropy (8bit):4.830795005765378
                                    Encrypted:false
                                    SSDEEP:3:oMty8WddSWA1KMNn:oMLW6WA1j
                                    MD5:08E799E8E9B4FDA648F2500A40A11933
                                    SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
                                    SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
                                    SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
                                    Malicious:false
                                    Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    C:\Users\user\AppData\Roaming\cVaRnofAle.exe
                                    Process:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):574464
                                    Entropy (8bit):7.193549008260358
                                    Encrypted:false
                                    SSDEEP:12288:DK777777777777N7lPB33pnS8tMtoOLHJfCJKlxqoYQ:DK777777777777llxpS8tMtA8lxqo9
                                    MD5:0E66D7D3CEA736262AE210AAAA00EEB5
                                    SHA1:94393BB0AD4EEB3F818E34F57395642920920BB8
                                    SHA-256:52C280A9E1DF79B39D176D673EBDA000C46D89EAB1477EAE5B1A62F4AB8373BB
                                    SHA-512:1374F58FFF67ABEF6C7F36BC023FC5BB7F19DE5DAE5C4D59601E31BA583BE99DEEFC6846100F2DE9283B002138C7D3C38C11CDA30BDF6F7653DA7E81BB108E67
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7.a............................~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H.......,f..........E...4....D............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... ....(....95...&..(..... ........8.....(..........8.... ............E............P...............p...............P.......................c... ........8.....9....r...p.(..... ........8....8;...r...p.(...... ....(....:h...&8....rK..p.(...... ........8C...8....ry..p.(...... ....8+...8....r...p.. ..
                                    C:\Users\user\AppData\Roaming\cVaRnofAle.exe:Zone.Identifier
                                    Process:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview: [ZoneTransfer]....ZoneId=0
                                    C:\Users\user\Documents\20220114\PowerShell_transcript.639509.GGL+h8F7.20220114140420.txt
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):5789
                                    Entropy (8bit):5.382988567412468
                                    Encrypted:false
                                    SSDEEP:96:BZgj8NQqDo1ZJZBj8NQqDo1Z7uw2jZIj8NQqDo1Z4bGG6Zd:u
                                    MD5:FE5FA47B5771CF56B743936E557D1CF5
                                    SHA1:1A9168837DC0D321A9D116DF31CE1586C30346B8
                                    SHA-256:C432267A4AC9B2328DACFB5CBCB983D2DA8D14529A27F2204E678BBEF89B7D64
                                    SHA-512:8E9A920A0686A561CCEE9552D7E1D21B9BB22D9BEFF29B8CA068E75A3301C36193B88DD009600D28B3F6A35D91F8518AFFDC18C38BA93FDE9D9E786A39366AC7
                                    Malicious:false
                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114140421..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 639509 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cVaRnofAle.exe..Process ID: 5996..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114140421..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cVaRnofAle.exe..**********************..Windows PowerShell transcript start..Start time: 20220114140802..Username: computer\user..RunAs User: computer\jone
                                    \Device\ConDrv
                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1141
                                    Entropy (8bit):4.44831826838854
                                    Encrypted:false
                                    SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                    MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                    SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                    SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                    SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                    Malicious:false
                                    Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.193549008260358
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:ozT6Kif37P9Trrb.exe
                                    File size:574464
                                    MD5:0e66d7d3cea736262ae210aaaa00eeb5
                                    SHA1:94393bb0ad4eeb3f818e34f57395642920920bb8
                                    SHA256:52c280a9e1df79b39d176d673ebda000c46d89eab1477eae5b1a62f4ab8373bb
                                    SHA512:1374f58fff67abef6c7f36bc023fc5bb7f19de5dae5c4d59601e31ba583be99deefc6846100f2de9283b002138c7d3c38c11cda30bdf6f7653da7e81bb108e67
                                    SSDEEP:12288:DK777777777777N7lPB33pnS8tMtoOLHJfCJKlxqoYQ:DK777777777777llxpS8tMtA8lxqo9
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7.a............................~.... ........@.. ....................... ............@................................

                                    File Icon

                                    Icon Hash:00828e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x48d97e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x61E13702 [Fri Jan 14 08:40:34 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x8d9300x4b.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x5dc.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8e10x1c.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x8b9840x8ba00False0.748704327999data7.20366769092IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0x8e0000x5dc0x600False0.438151041667data4.16155684526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x900000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0x8e0a00x34edata
                                    RT_MANIFEST0x8e3f00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyright2022 Tradewell
                                    Assembly Version22.0.0.0
                                    InternalNamePrincipalPoli.exe
                                    FileVersion1.1.0.0
                                    CompanyNameTradewell ltd
                                    LegalTrademarks
                                    CommentsPurple Org
                                    ProductNameBlaster
                                    ProductVersion1.1.0.0
                                    FileDescriptionBlaster
                                    OriginalFilenamePrincipalPoli.exe

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    01/14/22-14:04:33.519999TCP2025019ET TROJAN Possible NanoCore C2 60B497668951192.168.2.4103.153.78.234
                                    01/14/22-14:04:39.857137UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580288.8.8.8192.168.2.4
                                    01/14/22-14:04:40.083111TCP2025019ET TROJAN Possible NanoCore C2 60B497698951192.168.2.4103.153.78.234
                                    01/14/22-14:04:47.447207TCP2025019ET TROJAN Possible NanoCore C2 60B497708951192.168.2.4103.153.78.234
                                    01/14/22-14:04:53.578748TCP2025019ET TROJAN Possible NanoCore C2 60B497718951192.168.2.4103.153.78.234
                                    01/14/22-14:05:01.026500UDP254DNS SPOOF query response with TTL of 1 min. and no authority53623898.8.8.8192.168.2.4
                                    01/14/22-14:05:01.289314TCP2025019ET TROJAN Possible NanoCore C2 60B497728951192.168.2.4103.153.78.234
                                    01/14/22-14:05:08.133013TCP2025019ET TROJAN Possible NanoCore C2 60B498018951192.168.2.4103.153.78.234
                                    01/14/22-14:05:15.199190TCP2025019ET TROJAN Possible NanoCore C2 60B498088951192.168.2.4103.153.78.234
                                    01/14/22-14:05:22.189784TCP2025019ET TROJAN Possible NanoCore C2 60B498148951192.168.2.4103.153.78.234
                                    01/14/22-14:05:29.062611UDP254DNS SPOOF query response with TTL of 1 min. and no authority53640788.8.8.8192.168.2.4
                                    01/14/22-14:05:29.285444TCP2025019ET TROJAN Possible NanoCore C2 60B498168951192.168.2.4103.153.78.234
                                    01/14/22-14:05:36.103156UDP254DNS SPOOF query response with TTL of 1 min. and no authority53648018.8.8.8192.168.2.4
                                    01/14/22-14:05:36.332449TCP2025019ET TROJAN Possible NanoCore C2 60B498398951192.168.2.4103.153.78.234
                                    01/14/22-14:05:43.488065TCP2025019ET TROJAN Possible NanoCore C2 60B498408951192.168.2.4103.153.78.234
                                    01/14/22-14:05:50.216788TCP2025019ET TROJAN Possible NanoCore C2 60B498428951192.168.2.4103.153.78.234
                                    01/14/22-14:05:56.127723UDP254DNS SPOOF query response with TTL of 1 min. and no authority53550468.8.8.8192.168.2.4
                                    01/14/22-14:05:56.351918TCP2025019ET TROJAN Possible NanoCore C2 60B498468951192.168.2.4103.153.78.234
                                    01/14/22-14:06:03.539133TCP2025019ET TROJAN Possible NanoCore C2 60B498478951192.168.2.4103.153.78.234
                                    01/14/22-14:06:10.732002TCP2025019ET TROJAN Possible NanoCore C2 60B498488951192.168.2.4103.153.78.234
                                    01/14/22-14:06:17.566202UDP254DNS SPOOF query response with TTL of 1 min. and no authority53506018.8.8.8192.168.2.4
                                    01/14/22-14:06:17.790054TCP2025019ET TROJAN Possible NanoCore C2 60B498498951192.168.2.4103.153.78.234

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 14, 2022 14:04:33.227729082 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:33.452159882 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:33.452919960 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:33.519999027 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:33.759257078 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:33.759376049 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:34.035556078 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:34.035623074 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:34.258569956 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:34.312875986 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:34.644413948 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:34.919837952 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:34.920998096 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.185039043 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.197146893 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.197293997 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.197367907 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.197539091 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.197642088 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.197702885 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.419930935 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.420197964 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.420269012 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.420500040 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.420526028 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.420583010 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.420644999 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.420736074 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.420777082 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.420896053 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.421016932 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.421066046 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.643018007 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643042088 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643058062 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643074036 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643094063 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643116951 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643134117 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.643138885 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643162012 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643172026 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.643183947 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643205881 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643227100 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643229961 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.643251896 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643271923 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.643274069 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643295050 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.643297911 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643320084 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643342018 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.643356085 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.643395901 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.659044027 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.865747929 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.865814924 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.865883112 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.865897894 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.865930080 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.865955114 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866004944 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866004944 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866041899 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866056919 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866064072 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866113901 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866163969 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866173029 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866214991 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866275072 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866276979 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866292953 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866332054 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866343021 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866384983 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866394043 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866436005 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866437912 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866489887 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866504908 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866539955 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866549015 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866591930 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866594076 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866643906 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866650105 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866694927 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866703033 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866745949 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866751909 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866797924 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866799116 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866848946 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866852999 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866900921 CET895149766103.153.78.234192.168.2.4
                                    Jan 14, 2022 14:04:35.866904020 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866950989 CET497668951192.168.2.4103.153.78.234
                                    Jan 14, 2022 14:04:35.866952896 CET895149766103.153.78.234192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 14, 2022 14:04:33.198506117 CET5453153192.168.2.48.8.8.8
                                    Jan 14, 2022 14:04:33.217678070 CET53545318.8.8.8192.168.2.4
                                    Jan 14, 2022 14:04:39.836319923 CET5802853192.168.2.48.8.8.8
                                    Jan 14, 2022 14:04:39.857136965 CET53580288.8.8.8192.168.2.4
                                    Jan 14, 2022 14:04:47.203134060 CET5309753192.168.2.48.8.8.8
                                    Jan 14, 2022 14:04:47.222959042 CET53530978.8.8.8192.168.2.4
                                    Jan 14, 2022 14:04:53.339858055 CET4925753192.168.2.48.8.8.8
                                    Jan 14, 2022 14:04:53.359272957 CET53492578.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:01.007414103 CET6238953192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:01.026499987 CET53623898.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:07.799204111 CET5653453192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:07.818840027 CET53565348.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:14.924850941 CET5662753192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:14.944628954 CET53566278.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:21.889419079 CET6311653192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:21.908710957 CET53631168.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:29.041874886 CET6407853192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:29.062611103 CET53640788.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:36.082171917 CET6480153192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:36.103156090 CET53648018.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:43.235847950 CET6172153192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:43.253010988 CET53617218.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:49.950761080 CET6152253192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:49.970071077 CET53615228.8.8.8192.168.2.4
                                    Jan 14, 2022 14:05:56.106615067 CET5504653192.168.2.48.8.8.8
                                    Jan 14, 2022 14:05:56.127722979 CET53550468.8.8.8192.168.2.4
                                    Jan 14, 2022 14:06:03.177102089 CET4961253192.168.2.48.8.8.8
                                    Jan 14, 2022 14:06:03.197158098 CET53496128.8.8.8192.168.2.4
                                    Jan 14, 2022 14:06:10.481276035 CET4928553192.168.2.48.8.8.8
                                    Jan 14, 2022 14:06:10.500468969 CET53492858.8.8.8192.168.2.4
                                    Jan 14, 2022 14:06:17.541971922 CET5060153192.168.2.48.8.8.8
                                    Jan 14, 2022 14:06:17.566201925 CET53506018.8.8.8192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jan 14, 2022 14:04:33.198506117 CET192.168.2.48.8.8.80x9b6cStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:04:39.836319923 CET192.168.2.48.8.8.80xe8cbStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:04:47.203134060 CET192.168.2.48.8.8.80x9594Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:04:53.339858055 CET192.168.2.48.8.8.80xfaeStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:01.007414103 CET192.168.2.48.8.8.80xf16dStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:07.799204111 CET192.168.2.48.8.8.80x2784Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:14.924850941 CET192.168.2.48.8.8.80xb8fcStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:21.889419079 CET192.168.2.48.8.8.80x7d29Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:29.041874886 CET192.168.2.48.8.8.80xd4ffStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:36.082171917 CET192.168.2.48.8.8.80x4b58Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:43.235847950 CET192.168.2.48.8.8.80x1a5dStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:49.950761080 CET192.168.2.48.8.8.80xd9bcStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:56.106615067 CET192.168.2.48.8.8.80x7c2Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:06:03.177102089 CET192.168.2.48.8.8.80x9eb1Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:06:10.481276035 CET192.168.2.48.8.8.80x96f2Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                    Jan 14, 2022 14:06:17.541971922 CET192.168.2.48.8.8.80xf173Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jan 14, 2022 14:04:23.938669920 CET8.8.8.8192.168.2.40x52b2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                    Jan 14, 2022 14:04:33.217678070 CET8.8.8.8192.168.2.40x9b6cNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:04:39.857136965 CET8.8.8.8192.168.2.40xe8cbNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:04:47.222959042 CET8.8.8.8192.168.2.40x9594No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:04:53.359272957 CET8.8.8.8192.168.2.40xfaeNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:01.026499987 CET8.8.8.8192.168.2.40xf16dNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:07.818840027 CET8.8.8.8192.168.2.40x2784No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:14.944628954 CET8.8.8.8192.168.2.40xb8fcNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:21.908710957 CET8.8.8.8192.168.2.40x7d29No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:29.062611103 CET8.8.8.8192.168.2.40xd4ffNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:36.103156090 CET8.8.8.8192.168.2.40x4b58No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:43.253010988 CET8.8.8.8192.168.2.40x1a5dNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:49.970071077 CET8.8.8.8192.168.2.40xd9bcNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:05:56.127722979 CET8.8.8.8192.168.2.40x7c2No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:06:03.197158098 CET8.8.8.8192.168.2.40x9eb1No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:06:10.500468969 CET8.8.8.8192.168.2.40x96f2No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                    Jan 14, 2022 14:06:17.566201925 CET8.8.8.8192.168.2.40xf173No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)

                                    Code Manipulations

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: ozT6Kif37P9Trrb.exe PID: 7104 Parent PID: 6100

                                    General

                                    Start time:14:04:08
                                    Start date:14/01/2022
                                    Path:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe"
                                    Imagebase:0xad0000
                                    File size:574464 bytes
                                    MD5 hash:0E66D7D3CEA736262AE210AAAA00EEB5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    Reputation:low

                                    Analysis Process: powershell.exe PID: 5996 Parent PID: 7104

                                    General

                                    Start time:14:04:19
                                    Start date:14/01/2022
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
                                    Imagebase:0x9e0000
                                    File size:430592 bytes
                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 588 Parent PID: 5996

                                    General

                                    Start time:14:04:19
                                    Start date:14/01/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: schtasks.exe PID: 5528 Parent PID: 7104

                                    General

                                    Start time:14:04:19
                                    Start date:14/01/2022
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp
                                    Imagebase:0x340000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 6688 Parent PID: 5528

                                    General

                                    Start time:14:04:20
                                    Start date:14/01/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: RegSvcs.exe PID: 1852 Parent PID: 7104

                                    General

                                    Start time:14:04:21
                                    Start date:14/01/2022
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    Imagebase:0x7c0000
                                    File size:45152 bytes
                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    Reputation:high

                                    Analysis Process: schtasks.exe PID: 6780 Parent PID: 1852

                                    General

                                    Start time:14:04:28
                                    Start date:14/01/2022
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmp
                                    Imagebase:0x340000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 6820 Parent PID: 6780

                                    General

                                    Start time:14:04:29
                                    Start date:14/01/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: schtasks.exe PID: 6928 Parent PID: 1852

                                    General

                                    Start time:14:04:30
                                    Start date:14/01/2022
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp
                                    Imagebase:0x340000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: RegSvcs.exe PID: 6852 Parent PID: 968

                                    General

                                    Start time:14:04:31
                                    Start date:14/01/2022
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
                                    Imagebase:0x960000
                                    File size:45152 bytes
                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 6932 Parent PID: 6928

                                    General

                                    Start time:14:04:31
                                    Start date:14/01/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: conhost.exe PID: 6940 Parent PID: 6852

                                    General

                                    Start time:14:04:31
                                    Start date:14/01/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    Analysis Process: dhcpmon.exe PID: 5048 Parent PID: 968

                                    General

                                    Start time:14:04:33
                                    Start date:14/01/2022
                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                    Imagebase:0x6c0000
                                    File size:45152 bytes
                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Antivirus matches:
                                    • Detection: 0%, Metadefender, Browse
                                    • Detection: 0%, ReversingLabs

                                    Analysis Process: conhost.exe PID: 7160 Parent PID: 5048

                                    General

                                    Start time:14:04:33
                                    Start date:14/01/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    Analysis Process: dhcpmon.exe PID: 5324 Parent PID: 3424

                                    General

                                    Start time:14:04:36
                                    Start date:14/01/2022
                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                    Imagebase:0x470000
                                    File size:45152 bytes
                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET

                                    Analysis Process: conhost.exe PID: 5416 Parent PID: 5324

                                    General

                                    Start time:14:04:37
                                    Start date:14/01/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    Disassembly

                                    Code Analysis

                                    Reset < >