Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Sheet.exe

Overview

General Information

Sample Name:Order Sheet.exe
Analysis ID:560229
MD5:8aa38313a97d72b6d14b4d067f125086
SHA1:fa8b4c59dcd2f226d3dca64a4b1c8a656f033bd1
SHA256:8d1d485136c3e142c31a382e508ed735ad6e290574fe21f754cdfc7cf61abc43
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected AgentTesla
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for dropped file
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Sigma detected: Suspicius Add Task From User AppData Temp
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Yara detected Credential Stealer
Contains functionality to call native functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Order Sheet.exe (PID: 5588 cmdline: "C:\Users\user\Desktop\Order Sheet.exe" MD5: 8AA38313A97D72B6D14B4D067F125086)
    • powershell.exe (PID: 6228 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4088 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4128 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Order Sheet.exe (PID: 6200 cmdline: C:\Users\user\Desktop\Order Sheet.exe MD5: 8AA38313A97D72B6D14B4D067F125086)
      • host process.exe (PID: 6076 cmdline: "C:\Users\user\AppData\Local\Temp\host process.exe" 0 MD5: 042FA6CD64D8F55F1405D130E306E47A)
      • O.stub.exe (PID: 6148 cmdline: "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0 MD5: 69709CD1D2019B22E72550ABE3AEF9D7)
  • dhcpmon.exe (PID: 2280 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 042FA6CD64D8F55F1405D130E306E47A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\O.stub.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Users\user\AppData\Local\Temp\host process.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Users\user\AppData\Local\Temp\host process.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    Click to see the 4 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      0000000D.00000003.788250788.0000000003556000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0000000D.00000003.788376076.000000000106F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 75 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          15.2.host process.exe.5270000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          15.2.host process.exe.5270000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe75:$x2: NanoCore.ClientPluginHost
          • 0x1261:$s3: PipeExists
          • 0x1136:$s4: PipeCreated
          • 0xeb0:$s5: IClientLoggingHost
          15.0.host process.exe.700000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1018d:$x1: NanoCore.ClientPluginHost
          • 0x101ca:$x2: IClientNetworkHost
          • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          15.0.host process.exe.700000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xff05:$x1: NanoCore Client.exe
          • 0x1018d:$x2: NanoCore.ClientPluginHost
          • 0x117c6:$s1: PluginCommand
          • 0x117ba:$s2: FileCommand
          • 0x1266b:$s3: PipeExists
          • 0x18422:$s4: PipeCreated
          • 0x101b7:$s5: IClientLoggingHost
          15.0.host process.exe.700000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            Click to see the 173 entries

            Sigma Overview

            AV Detection

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 6076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 6076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary

            barindex
            Sigma detected: Suspicius Add Task From User AppData Temp
            Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Sheet.exe" , ParentImage: C:\Users\user\Desktop\Order Sheet.exe, ParentProcessId: 5588, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp, ProcessId: 4128
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Sheet.exe" , ParentImage: C:\Users\user\Desktop\Order Sheet.exe, ParentProcessId: 5588, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe, ProcessId: 6228
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\O.stub.exe, Initiated: true, ProcessId: 6148, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49791
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 6076, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Sheet.exe" , ParentImage: C:\Users\user\Desktop\Order Sheet.exe, ParentProcessId: 5588, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe, ProcessId: 6228
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132876598159150713.6228.DefaultAppDomain.powershell

            Stealing of Sensitive Information

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 6076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality

            barindex
            Sigma detected: NanoCore
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 6076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\host process.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeAvira: detection malicious, Label: TR/Spy.Gen8
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5624629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e5e424.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e9e424.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e62a4d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e5e424.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3ea2a4d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5620000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e9e424.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5620000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.788250788.0000000003556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.791041172.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: host process.exe PID: 6076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2280, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
            Multi AV Scanner detection for submitted file
            Source: Order Sheet.exeVirustotal: Detection: 25%Perma Link
            Source: Order Sheet.exeReversingLabs: Detection: 18%
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeMetadefender: Detection: 55%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeReversingLabs: Detection: 85%
            Source: C:\Users\user\AppData\Local\Temp\host process.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\AppData\Roaming\nXyTfXBfrv.exeReversingLabs: Detection: 18%
            Machine Learning detection for sample
            Source: Order Sheet.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\host process.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\nXyTfXBfrv.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Source: 17.2.dhcpmon.exe.6f0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 13.0.Order Sheet.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
            Source: 15.0.host process.exe.700000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.2.Order Sheet.exe.3d59930.4.unpackAvira: Label: TR/Dropper.Gen
            Source: 13.0.Order Sheet.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
            Source: 13.0.Order Sheet.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
            Source: 13.2.Order Sheet.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 17.0.dhcpmon.exe.6f0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 15.0.host process.exe.700000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 13.0.Order Sheet.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
            Source: 15.0.host process.exe.700000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 15.2.host process.exe.700000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.2.Order Sheet.exe.43a1810.7.unpackAvira: Label: TR/Dropper.Gen
            Source: 15.0.host process.exe.700000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 15.2.host process.exe.5620000.7.unpackAvira: Label: TR/NanoCore.fadte
            Source: Order Sheet.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Order Sheet.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: host process.exe, 0000000F.00000002.940113306.0000000002B05000.00000004.00000020.00020000.00000000.sdmp

            Networking

            barindex
            Uses dynamic DNS services
            Source: unknownDNS query: name: timmy13.ddns.net
            Source: global trafficTCP traffic: 192.168.2.4:49771 -> 185.140.53.138:28289
            Source: global trafficTCP traffic: 192.168.2.4:49791 -> 77.88.21.158:587
            Source: global trafficTCP traffic: 192.168.2.4:49791 -> 77.88.21.158:587
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Order Sheet.exe, 00000000.00000002.783883940.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Order Sheet.exe, 00000000.00000002.783883940.0000000000F67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma%
            Source: Order Sheet.exe, 00000000.00000002.783883940.0000000000F67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdiaa
            Source: Order Sheet.exe, 00000000.00000002.783883940.0000000000F67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: O.stub.exe, 00000010.00000002.940885541.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://EZoeItrV4lpBHNUc3pDH.com
            Source: unknownDNS traffic detected: queries for: timmy13.ddns.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\O.stub.exe
            Source: Order Sheet.exe, 00000000.00000002.784120556.0000000000F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: host process.exe, 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud

            barindex
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5624629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e5e424.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e9e424.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e62a4d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e5e424.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3ea2a4d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5620000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e9e424.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5620000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.788250788.0000000003556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.791041172.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: host process.exe PID: 6076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2280, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 15.2.host process.exe.5270000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.host process.exe.5624629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 17.2.dhcpmon.exe.2e33dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 17.2.dhcpmon.exe.3e5e424.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.host process.exe.3e9e424.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 17.2.dhcpmon.exe.3e62a4d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 17.2.dhcpmon.exe.3e5e424.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.host process.exe.3ea2a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.host process.exe.5620000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.host process.exe.3e9e424.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.host process.exe.2e6179c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.host process.exe.5620000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0000000F.00000002.941790490.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: host process.exe PID: 6076, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: host process.exe PID: 6076, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 2280, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 2280, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Order Sheet.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_00F5C1A4
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_00F5E5F0
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_00F5E5E1
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_07904F08
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_07904EF8
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_07904C90
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_07904CA0
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_0070524A
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02A82FA8
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02A823A0
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02A83850
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02A8B1CF
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02A88938
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02A8306F
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02A895FF
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02A89538
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FD208
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053F0006
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FE8D8
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FD201
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FDA5B
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FDE4A
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FDEBB
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FECA8
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FEC9B
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_053FE8CC
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_060ACA58
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_060AC850
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_060A0070
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_060AE108
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_060A0F7B
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_060A0006
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess Stats: CPU usage > 98%
            Source: Order Sheet.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: nXyTfXBfrv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Order Sheet.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 15.2.host process.exe.5270000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.5270000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.host process.exe.5624629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.5624629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 17.2.dhcpmon.exe.2e33dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 17.2.dhcpmon.exe.2e33dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 17.2.dhcpmon.exe.3e5e424.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 17.2.dhcpmon.exe.3e5e424.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.host process.exe.3e9e424.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.3e9e424.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 17.2.dhcpmon.exe.3e62a4d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 17.2.dhcpmon.exe.3e62a4d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 17.2.dhcpmon.exe.3e5e424.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 17.2.dhcpmon.exe.3e5e424.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.host process.exe.3ea2a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.3ea2a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.host process.exe.5620000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.5620000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.host process.exe.3e9e424.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.3e9e424.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.host process.exe.2e6179c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.2e6179c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.2.host process.exe.5620000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.host process.exe.5620000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0000000F.00000002.941790490.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000F.00000002.941790490.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: host process.exe PID: 6076, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: host process.exe PID: 6076, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: dhcpmon.exe PID: 2280, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: dhcpmon.exe PID: 2280, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02AE15CE NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02AE1593 NtQuerySystemInformation,
            Source: Order Sheet.exe, 00000000.00000002.793930003.0000000007A60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXO vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000000.665509353.00000000008A9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEnumerateQueuedWorkItemsd.exeZ vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.784120556.0000000000F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Order Sheet.exe
            Source: Order Sheet.exe, 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Sheet.exe
            Source: Order Sheet.exe, 0000000D.00000000.774560984.0000000000899000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEnumerateQueuedWorkItemsd.exeZ vs Order Sheet.exe
            Source: Order Sheet.exe, 0000000D.00000003.788376076.000000000106F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Sheet.exe
            Source: Order Sheet.exe, 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Sheet.exe
            Source: Order Sheet.exe, 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Order Sheet.exe
            Source: Order Sheet.exeBinary or memory string: OriginalFilenameEnumerateQueuedWorkItemsd.exeZ vs Order Sheet.exe
            Source: Order Sheet.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: nXyTfXBfrv.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: host process.exe.13.drStatic PE information: Section: .rsrc ZLIB complexity 0.999575892857
            Source: Order Sheet.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Order Sheet.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\Order Sheet.exeFile created: C:\Users\user\AppData\Roaming\nXyTfXBfrv.exeJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/16@12/2
            Source: C:\Users\user\Desktop\Order Sheet.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\host process.exeFile created: C:\Program Files (x86)\DHCP Monitor
            Source: Order Sheet.exeVirustotal: Detection: 25%
            Source: Order Sheet.exeReversingLabs: Detection: 18%
            Source: C:\Users\user\Desktop\Order Sheet.exeFile read: C:\Users\user\Desktop\Order Sheet.exe:Zone.IdentifierJump to behavior
            Source: C:\Users\user\Desktop\Order Sheet.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\Order Sheet.exe "C:\Users\user\Desktop\Order Sheet.exe"
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\Desktop\Order Sheet.exe C:\Users\user\Desktop\Order Sheet.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\Desktop\Order Sheet.exe C:\Users\user\Desktop\Order Sheet.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
            Source: C:\Users\user\Desktop\Order Sheet.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02AE138E AdjustTokenPrivileges,
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02AE1357 AdjustTokenPrivileges,
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Order Sheet.exeFile created: C:\Users\user\AppData\Local\Temp\tmp87D8.tmpJump to behavior
            Source: C:\Users\user\Desktop\Order Sheet.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
            Source: C:\Users\user\Desktop\Order Sheet.exeMutant created: \Sessions\1\BaseNamedObjects\ECwzEXwOBaVtoDTh
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_01
            Source: C:\Users\user\AppData\Local\Temp\host process.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{964a90aa-b121-4650-948b-3135f4e12fbc}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_01
            Source: host process.exe.13.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: host process.exe.13.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: host process.exe.13.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Order Sheet.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: Order Sheet.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Order Sheet.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Order Sheet.exeStatic file information: File size 1601024 > 1048576
            Source: Order Sheet.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11c800
            Source: Order Sheet.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: host process.exe, 0000000F.00000002.940113306.0000000002B05000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: Order Sheet.exe, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: nXyTfXBfrv.exe.0.dr, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Order Sheet.exe.720000.0.unpack, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: host process.exe.13.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: host process.exe.13.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_00724AD4 push es; retf 0005h
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_00724AD4 push es; retf
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_00724609 push es; retf 0005h
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 0_2_00F5F9B2 pushad ; iretd
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 13_2_00714AD4 push es; retf 0005h
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 13_2_00714AD4 push es; retf
            Source: C:\Users\user\Desktop\Order Sheet.exeCode function: 13_2_00714609 push es; retf 0005h
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_00A13088 push eax; iretd
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_00A15888 push ds; retf
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_00A154E2 push ebp; ret
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_00A142D4 push es; retf
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_00A156DD push FFFFFFE4h; iretd
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_00A15443 push cs; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73049016205
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73049016205
            Source: host process.exe.13.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: host process.exe.13.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: C:\Users\user\Desktop\Order Sheet.exeFile created: C:\Users\user\AppData\Local\Temp\O.stub.exeJump to dropped file
            Source: C:\Users\user\Desktop\Order Sheet.exeFile created: C:\Users\user\AppData\Roaming\nXyTfXBfrv.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\host process.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
            Source: C:\Users\user\Desktop\Order Sheet.exeFile created: C:\Users\user\AppData\Local\Temp\host process.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (87).png
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Users\user\AppData\Local\Temp\host process.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 0.2.Order Sheet.exe.2d9da58.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFunction Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,processSet,processSet,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\Order Sheet.exe TID: 1256Thread sleep time: -40093s >= -30000s
            Source: C:\Users\user\Desktop\Order Sheet.exe TID: 4108Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1576Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3112Thread sleep count: 6164 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3112Thread sleep count: 1387 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344Thread sleep time: -4611686018427385s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\host process.exe TID: 6700Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\host process.exe TID: 3984Thread sleep time: -920000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 7036Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 7036Thread sleep count: 217 > 30
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 7036Thread sleep time: -6510000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 7036Thread sleep time: -60000s >= -30000s
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6092Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Order Sheet.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\host process.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3649
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6164
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1387
            Source: C:\Users\user\AppData\Local\Temp\host process.exeWindow / User API: foregroundWindowGot 437
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Order Sheet.exeThread delayed: delay time: 40093
            Source: C:\Users\user\Desktop\Order Sheet.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\host process.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 30000
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 30000
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: Order Sheet.exe, 00000000.00000002.784217204.0000000000FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: om&Ven_NECVMWar&Prod_VMware_O*
            Source: Order Sheet.exe, 0000000D.00000002.795016998.000000000102A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\x_M)
            Source: O.stub.exe, 00000010.00000002.936947079.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0Z
            Source: O.stub.exe, 00000010.00000002.936947079.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Order Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02AE101A GetSystemInfo,
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 16_2_060AE108 LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Order Sheet.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Order Sheet.exeMemory written: C:\Users\user\Desktop\Order Sheet.exe base: 400000 value starts with: 4D5A
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\Desktop\Order Sheet.exe C:\Users\user\Desktop\Order Sheet.exe
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
            Source: C:\Users\user\Desktop\Order Sheet.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
            Source: host process.exe, 0000000F.00000002.940642113.0000000002EDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager(
            Source: host process.exe, 0000000F.00000003.832493389.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 0000000F.00000002.941145800.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 0000000F.00000003.896316229.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, host process.exe, 0000000F.00000002.941095068.000000000309B000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 0000000F.00000003.823045006.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 0000000F.00000003.862865835.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, host process.exe, 0000000F.00000002.941175667.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 0000000F.00000002.940691572.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 0000000F.00000002.940642113.0000000002EDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: host process.exe, 0000000F.00000002.940691572.0000000002F13000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx2X
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Users\user\Desktop\Order Sheet.exe VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Users\user\Desktop\Order Sheet.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.O.stub.exe.a10000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.O.stub.exe.a10000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d8e541.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.435c11.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.O.stub.exe.a10000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.435c11.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.435c11.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.O.stub.exe.a10000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.435c11.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.435c11.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.O.stub.exe.a10000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.435c11.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000003.788376076.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.790298908.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.934638725.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.789340353.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.790790305.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.940720707.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.789744754.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6148, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\O.stub.exe, type: DROPPED
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5624629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e5e424.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e9e424.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e62a4d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e5e424.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3ea2a4d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5620000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e9e424.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5620000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.788250788.0000000003556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.791041172.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: host process.exe PID: 6076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2280, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
            Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
            Source: Yara matchFile source: 00000010.00000002.940720707.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6148, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.O.stub.exe.a10000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.O.stub.exe.a10000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d8e541.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.435c11.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.O.stub.exe.a10000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.435c11.14.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.435c11.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.O.stub.exe.a10000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.435c11.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.435c11.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.0.O.stub.exe.a10000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.435c11.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000003.788376076.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.790298908.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.934638725.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.789340353.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.790790305.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.940720707.000000000315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000000.789744754.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6148, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\O.stub.exe, type: DROPPED
            Detected Nanocore Rat
            Source: Order Sheet.exe, 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: Order Sheet.exe, 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: Order Sheet.exe, 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: host process.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: host process.exe, 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: host process.exe, 0000000F.00000002.940164315.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: host process.exe, 0000000F.00000002.940164315.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: host process.exe, 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: host process.exe, 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: host process.exe, 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: host process.exe, 0000000F.00000002.941790490.0000000005270000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: host process.exe, 0000000F.00000002.941790490.0000000005270000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exe, 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exe, 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: host process.exe.13.drString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe.15.drString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 15.0.host process.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5624629.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e5e424.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e595ee.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e9e424.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e62a4d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.0.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.6f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.dhcpmon.exe.3e5e424.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3ea2a4d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d8e541.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.Order Sheet.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e995ee.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a1810.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5620000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.0.Order Sheet.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d59930.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.3e9e424.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.43a39cf.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.host process.exe.5620000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.0.host process.exe.700000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.3d5baef.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Order Sheet.exe.4049fa0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.788250788.0000000003556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.791041172.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 5588, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Order Sheet.exe PID: 6200, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: host process.exe PID: 6076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2280, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02AE299E bind,
            Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 15_2_02AE294C bind,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		1
            Access Token Manipulation            		21
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Native API            		Boot or Logon Initialization Scripts112
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		121
            Input Capture            		115
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Scheduled Task/Job            		Logon Script (Windows)1
            Scheduled Task/Job            		2
            Obfuscated Files or Information            		1
            Credentials in Registry            		1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration1
            Remote Access Software            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)14
            Software Packing            		NTDS311
            Security Software Discovery            		Distributed Component Object Model121
            Input Capture            		Scheduled Transfer1
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script12
            Masquerading            		LSA Secrets2
            Process Discovery            		SSHKeyloggingData Transfer Size Limits111
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common131
            Virtualization/Sandbox Evasion            		Cached Domain Credentials131
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc Filesystem1
            Remote System Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            Hidden Files and Directories            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 560229 Sample: Order Sheet.exe Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 52 timmy13.ddns.net 2->52 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 17 other signatures 2->66 8 Order Sheet.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\nXyTfXBfrv.exe, PE32 8->36 dropped 38 C:\Users\...\nXyTfXBfrv.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp87D8.tmp, XML 8->40 dropped 42 C:\Users\user\AppData\...\Order Sheet.exe.log, ASCII 8->42 dropped 78 Adds a directory exclusion to Windows Defender 8->78 80 Injects a PE file into a foreign processes 8->80 14 Order Sheet.exe 8->14         started        17 powershell.exe 23 8->17         started        19 powershell.exe 25 8->19         started        21 schtasks.exe 8->21         started        signatures6 process7 file8 48 C:\Users\user\AppData\...\host process.exe, PE32 14->48 dropped 50 C:\Users\user\AppData\Local\Temp\O.stub.exe, PE32 14->50 dropped 23 O.stub.exe 14->23         started        27 host process.exe 14->27         started        30 conhost.exe 17->30         started        32 conhost.exe 19->32         started        34 conhost.exe 21->34         started        process9 dnsIp10 54 smtp.yandex.ru 77.88.21.158, 49791, 587 YANDEXRU Russian Federation 23->54 56 smtp.yandex.com 23->56 68 Antivirus detection for dropped file 23->68 70 Multi AV Scanner detection for dropped file 23->70 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->72 76 8 other signatures 23->76 58 timmy13.ddns.net 185.140.53.138, 28289, 49771, 49772 DAVID_CRAIGGG Sweden 27->58 44 C:\Program Files (x86)\...\dhcpmon.exe, PE32 27->44 dropped 46 C:\Users\user\AppData\Roaming\...\run.dat, data 27->46 dropped 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->74 file11 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Order Sheet.exe25%VirustotalBrowse
            Order Sheet.exe19%ReversingLabsWin32.Trojan.Woreflint
            Order Sheet.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\host process.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Users\user\AppData\Local\Temp\O.stub.exe100%AviraTR/Spy.Gen8
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Users\user\AppData\Local\Temp\host process.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\O.stub.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\AppData\Local\Temp\O.stub.exe56%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\O.stub.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            C:\Users\user\AppData\Local\Temp\host process.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe19%ReversingLabsWin32.Trojan.Woreflint

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            17.2.dhcpmon.exe.6f0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            13.0.Order Sheet.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
            15.0.host process.exe.700000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            0.2.Order Sheet.exe.3d59930.4.unpack100%AviraTR/Dropper.GenDownload File
            16.0.O.stub.exe.a10000.0.unpack100%AviraHEUR/AGEN.1138205Download File
            13.0.Order Sheet.exe.400000.12.unpack100%AviraTR/Dropper.GenDownload File
            13.0.Order Sheet.exe.400000.8.unpack100%AviraTR/Dropper.GenDownload File
            16.0.O.stub.exe.a10000.3.unpack100%AviraHEUR/AGEN.1138205Download File
            13.2.Order Sheet.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            17.0.dhcpmon.exe.6f0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            16.0.O.stub.exe.a10000.1.unpack100%AviraHEUR/AGEN.1138205Download File
            16.2.O.stub.exe.a10000.0.unpack100%AviraHEUR/AGEN.1138205Download File
            15.0.host process.exe.700000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            13.0.Order Sheet.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
            15.0.host process.exe.700000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            15.2.host process.exe.700000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            16.0.O.stub.exe.a10000.2.unpack100%AviraHEUR/AGEN.1138205Download File
            0.2.Order Sheet.exe.43a1810.7.unpack100%AviraTR/Dropper.GenDownload File
            15.0.host process.exe.700000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            15.2.host process.exe.5620000.7.unpack100%AviraTR/NanoCore.fadteDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.comdiaa0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            https://EZoeItrV4lpBHNUc3pDH.com0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.coma%0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            timmy13.ddns.net
            		185.140.53.138
            		truefalse
              		high
              smtp.yandex.ru
              		77.88.21.158
              		truefalse
                		high
                smtp.yandex.com
                		unknown
                		unknownfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comOrder Sheet.exe, 00000000.00000002.783883940.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.tiro.comOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.goodfont.co.krOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.come.comOrder Sheet.exe, 00000000.00000002.783883940.0000000000F67000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comdiaaOrder Sheet.exe, 00000000.00000002.783883940.0000000000F67000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8Order Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fonts.comOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://EZoeItrV4lpBHNUc3pDH.comO.stub.exe, 00000010.00000002.940885541.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder Sheet.exe, 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.comOrder Sheet.exe, 00000000.00000002.790648459.0000000006E12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.coma%Order Sheet.exe, 00000000.00000002.783883940.0000000000F67000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        77.88.21.158
                                        		smtp.yandex.ruRussian Federation
                                        		13238YANDEXRUfalse
                                        185.140.53.138
                                        		timmy13.ddns.netSweden
                                        		209623DAVID_CRAIGGGfalse

                                        General Information

                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                        Analysis ID:560229
                                        Start date:26.01.2022
                                        Start time:09:35:16
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 13m 15s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:Order Sheet.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:25
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@17/16@12/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:
                                        • Successful, ratio: 5.2% (good quality ratio 3.4%)
                                        • Quality average: 32.9%
                                        • Quality standard deviation: 28.9%
                                        HCA Information:
                                        • Successful, ratio: 94%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, s-ring.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, teams-ring.msedge.net, arc.msn.com, t-ring.msedge.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        09:36:36API Interceptor2x Sleep call for process: Order Sheet.exe modified
                                        09:36:58API Interceptor73x Sleep call for process: powershell.exe modified
                                        09:37:14API Interceptor446x Sleep call for process: host process.exe modified
                                        09:37:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        09:37:31API Interceptor371x Sleep call for process: O.stub.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\host process.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):207360
                                        Entropy (8bit):7.448972782235035
                                        Encrypted:false
                                        SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIXquGTziui+IOIB3089u1L5WUb:gLV6Bta6dtJmakIM5jNilOIW8uxb
                                        MD5:042FA6CD64D8F55F1405D130E306E47A
                                        SHA1:C7D7DE4600FEB4953D05674F862D992B03E7F44B
                                        SHA-256:5932288E5C5EF8EDA3E5B63D7E0734123E533FEDCF861A72822004C549606F52
                                        SHA-512:E5ADD4BB755E59A9244605352612125B026CFAE84118F315594D960359A4795F973A5D9D5B4769FA0A57B607EE075367BA11D209CC6985E931EDDAF531343283
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 100%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

                                        Download File
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):525
                                        Entropy (8bit):5.2874233355119316
                                        Encrypted:false
                                        SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                        MD5:61CCF53571C9ABA6511D696CB0D32E45
                                        SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                        SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                        SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Sheet.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\Order Sheet.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:true
                                        Reputation:unknown
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):22300
                                        Entropy (8bit):5.60227512635438
                                        Encrypted:false
                                        SSDEEP:384:ltCDRC0c4BJWXMy909bKc9S0nAjultIub7Y9gBSJ3x6T1MavZlbAV7wWlS5ZBDIj:e0XMMYjTAClth7BcACufw8Vg
                                        MD5:130FDD38F809F9338F805DAEA9B62136
                                        SHA1:33A580DDA1B7C67D9D977E8D2C2CE60A57FC6591
                                        SHA-256:3AA43720B131CDDD1687DEF19222D774CA1442B2D248DF94630A86114C09D8C4
                                        SHA-512:BBC3AD9526E6F603A15D07E444EB3C0357185E28EE19389F636012EC043691BCEB8BE5D8A3D31777CF1C5FD0775148C93431A20E70B62A47E94ACB8B364E35C0
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:@...e...................h.............X...I..........@..........H...............<@.^.L."My...:U..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                        C:\Users\user\AppData\Local\Temp\O.stub.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\Order Sheet.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):283136
                                        Entropy (8bit):6.583518106694022
                                        Encrypted:false
                                        SSDEEP:3072:48lUfsVrpgVIRckQkPIQBoczsDnW+xtUpYslLR8o5s9ODfa8CKeZp/YUNRnoFd18:48lZgPlhKYc2K+p/YUk1wP6D
                                        MD5:69709CD1D2019B22E72550ABE3AEF9D7
                                        SHA1:D82D111D5ECB7E2D4DA56C40E9B6EFB409C90243
                                        SHA-256:B1C71A6054350653138D7C6D9E501DC09E79BCDFD5FECD4F29461B7CA7DA23A4
                                        SHA-512:5268D185A569FC35CE5761B47713A9D94018A9EA7C9C42EE5942A13722C8D460C3D7760996F21604AA188C24C17EA64DF516D261A73E2BCE5FD75FCBABF83861
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\O.stub.exe, Author: Joe Security
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: Metadefender, Detection: 56%, Browse
                                        • Antivirus: ReversingLabs, Detection: 86%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ul.^.................J...........i... ........@.. ....................................@..................................i..W....... ............................................................................ ............... ..H............text....I... ...J.................. ..`.rsrc... ............L..............@..@.reloc...............P..............@..B.................i......H..................L............................................................q;.SfQ.k..g.2&.0..W.a..JaAN'nG.2N.. .....e..@N.J......@...DG9.....j...GSENaO.p..u..2.. q4......7...U...]..].h7C2..H.{4.o0:.W.c...C.II*.3Mr........W.&F~5...J.r6IG{X..X.d..P..F...0........8GCU.}.r`...._.a.N..0vDjVG..6.9.3.\. ....8....5_X....`.B;.N....N....S_p..em,Rc.9.4_*5..p..kOPulz-.~..@........v.#K...c......p&X..K..> rH.Ra...$l.j4.n.."J.S.:..p6.)w...k.@".c..6..G...Ok.w...4....

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4scc5o5w.sni.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fy3orlzq.rnz.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3pr0zi5.igp.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmamsk4v.xr1.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\host process.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\Order Sheet.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):207360
                                        Entropy (8bit):7.448972782235035
                                        Encrypted:false
                                        SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIXquGTziui+IOIB3089u1L5WUb:gLV6Bta6dtJmakIM5jNilOIW8uxb
                                        MD5:042FA6CD64D8F55F1405D130E306E47A
                                        SHA1:C7D7DE4600FEB4953D05674F862D992B03E7F44B
                                        SHA-256:5932288E5C5EF8EDA3E5B63D7E0734123E533FEDCF861A72822004C549606F52
                                        SHA-512:E5ADD4BB755E59A9244605352612125B026CFAE84118F315594D960359A4795F973A5D9D5B4769FA0A57B607EE075367BA11D209CC6985E931EDDAF531343283
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 100%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                        C:\Users\user\AppData\Local\Temp\tmp87D8.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\Order Sheet.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1597
                                        Entropy (8bit):5.1406468949426865
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaMxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTpv
                                        MD5:7735E0A0B81A5A63D6EA540BE4025893
                                        SHA1:3AFF867F90FCA54EA918D66A0D4A617F35597F2E
                                        SHA-256:D1061050FE9D6747753D2CAF4B7991C1DA87271488A189E121819D157FB991D7
                                        SHA-512:16164642FD7116206CCB2EEC7BAE42163E643F57B1965D622E2FBE3A216419E8B46ABA715175E44B3C18FD9B9BDE8F3EC8D47B3A5A8E588F9A2410538EA4376F
                                        Malicious:true
                                        Reputation:unknown
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\host process.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):3.0
                                        Encrypted:false
                                        SSDEEP:3:3jfF8n:x8
                                        MD5:EF4BC35F382EFDAAA6AC50BE151D16CC
                                        SHA1:AF893D3A1979E6A574021A61E097B888FDA5668B
                                        SHA-256:02853E75E5FEC3B59A9EA592B25D651EF3F4D30078C47BDD703BA8D78DC90CD2
                                        SHA-512:813DD4E36B876765E75D017D0D17D47C13B8F41FA85B582420FD3D3765658585BC11444671F42B6C516F470986CC43CA3373764D56C618777A6995D2CD1B0E85
                                        Malicious:true
                                        Reputation:unknown
                                        Preview:.......H

                                        C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\Order Sheet.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1601024
                                        Entropy (8bit):7.477755094427583
                                        Encrypted:false
                                        SSDEEP:49152:gu2h3XxMPoYfBCaTnOfSepK6NNgeG68Nq9Hr2839Y2YXC8bx7wwI3nwiY4gZcaff:uYzfIEOfSP6NNgeG68Nq9Hr2839Y2YXJ
                                        MD5:8AA38313A97D72B6D14B4D067F125086
                                        SHA1:FA8B4C59DCD2F226D3DCA64A4B1C8A656F033BD1
                                        SHA-256:8D1D485136C3E142C31A382E508ED735AD6E290574FE21F754CDFC7CF61ABC43
                                        SHA-512:AD553AEF980ECA1D9DE9E8C48D46099A19513CBC33929A097AF9E216D36AF8AAF22EFEA131A6E38B9C70ACCE18EAE74A0C4D6FCBE78F050D2EDCEB78AA9F2916
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 19%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.............F.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............l..............@..B................(.......H.......<...x...............@Q...........................................0..G........r...p.......,..r...ps....z...(....(...........r...p.o....(....s....z.*..........-.......0..o........s......s......~..........(.........o.........,..(.......o ......*...rW..p..o....(....(!..........,..o".......*..(.......-..........4B..........Za.......0..o........s#........o$....s%......+......J...r...p(&...o'...&...X....i......-..o(.......&.r...p(!..........,..o".......*.........GO..........

                                        C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\Order Sheet.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:unknown
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\Documents\20220126\PowerShell_transcript.928100.iuunIUjd.20220126093659.txt

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):5789
                                        Entropy (8bit):5.405249128810557
                                        Encrypted:false
                                        SSDEEP:96:BZ8jGNRvqDo1ZAIZHjGNRvqDo1ZcesGjZIjGNRvqDo1ZozWWnZo:I
                                        MD5:54891A9A70C35686277A61A955E6759F
                                        SHA1:13ADD50266AB1FECDEFF5861FA5CFD0C4B91CB64
                                        SHA-256:8D015F56AFB64F587B06BD018160FA239459734126D52CFF29083B1286C8C534
                                        SHA-512:033A3CC3D0C14D5C721461CA3EFCC4724E0270CC05ECEEA528235AFEF9D96A0CA0F088E2DF6007AE304AD2DD6B6E851C0B3B4A48A0505F105267BC1565CDE0F9
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126093700..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe..Process ID: 4088..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220126093700..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe..**********************..Windows PowerShell transcript start..Start time: 20220126094126..Username: computer\user..RunAs User: computer\jone

                                        C:\Users\user\Documents\20220126\PowerShell_transcript.928100.tMbosfeB.20220126093657.txt

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):3494
                                        Entropy (8bit):5.295443301124513
                                        Encrypted:false
                                        SSDEEP:96:BZGjGNnqDo1ZwmZ4jGNnqDo1Z2qKr0cr0cr0drZTS:Y//B
                                        MD5:E8BDC6EADEA4F31A03A6C99D330ACAF5
                                        SHA1:63AB78EDD34962187766E7A7DA7EA53D5DC75744
                                        SHA-256:41966A4C53E960589C73C9E70AA496F1117A8B77260E7D09F75955945F863074
                                        SHA-512:B5A74BA0A47E83FCEDB962215497DE259443676D5B75ADE43DC6F2FE68688BC674036DF88014A850B8C411C17FD4A6135B6349A69F32A74C92C1CF0A39239722
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126093658..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Order Sheet.exe..Process ID: 6228..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220126093658..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Order Sheet.exe..**********************..Command start time: 20220126094037..**********************..PS>TerminatingError(Add-MpPreference): "A positional parameter cannot be found that

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.477755094427583
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:Order Sheet.exe
                                        File size:1601024
                                        MD5:8aa38313a97d72b6d14b4d067f125086
                                        SHA1:fa8b4c59dcd2f226d3dca64a4b1c8a656f033bd1
                                        SHA256:8d1d485136c3e142c31a382e508ed735ad6e290574fe21f754cdfc7cf61abc43
                                        SHA512:ad553aef980eca1d9de9e8c48d46099a19513cbc33929a097af9e216d36af8aaf22efea131a6e38b9c70acce18eae74a0c4d6fcbe78f050d2edceb78aa9f2916
                                        SSDEEP:49152:gu2h3XxMPoYfBCaTnOfSepK6NNgeG68Nq9Hr2839Y2YXC8bx7wwI3nwiY4gZcaff:uYzfIEOfSP6NNgeG68Nq9Hr2839Y2YXJ
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.............F.... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:4f878a8c8e8e874f

                                        Static PE Info

                                        General

                                        Entrypoint:0x51e746
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x61F0A484 [Wed Jan 26 01:31:48 2022 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        mov byte ptr [eax-2C754571h], ch
                                        mov ecx, CFB1EDF5h
                                        jmp far 82EBh : FBB5E4AAh
                                        stc
                                        nop
                                        retf B5C9h
                                        out DCh, eax
                                        mov seg?, word ptr [edi-1F081154h]
                                        retf EA8Eh
                                        retf CE80h
                                        lds ebp, fword ptr [ebp-7B2F3B49h]
                                        xchg eax, ebx
                                        aad F0h
                                        jmp 00007F2794BA2B0Ah
                                        mov ah, 9Dh
                                        int3
                                        scasd
                                        movsd
                                        xchg eax, ebp
                                        mov edx, 9DD28799h
                                        jecxz 00007F2794BA2AD3h
                                        mov edx, 0000CA90h
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x11e6f40x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1200000x6a100.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x18c0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x11c78c0x11c800False0.790293071727data7.73049016205IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x1200000x6a1000x6a200False0.217102841578data5.70309311156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x18c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x1202e00x468GLS_BINARY_LSB_FIRST
                                        RT_ICON0x1207480x988data
                                        RT_ICON0x1210d00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294440951, next used block 4294440951
                                        RT_ICON0x1221780x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294440951, next used block 4294440951
                                        RT_ICON0x1247200x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294440951, next used block 4294440951
                                        RT_ICON0x1289480x5488data
                                        RT_ICON0x12ddd00x94a8data
                                        RT_ICON0x1372780x10828data
                                        RT_ICON0x147aa00x42028data
                                        RT_GROUP_ICON0x189ac80x84data
                                        RT_GROUP_ICON0x189b4c0x14data
                                        RT_VERSION0x189b600x3b4data
                                        RT_MANIFEST0x189f140x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright 2012
                                        Assembly Version1.5.0.0
                                        InternalNameEnumerateQueuedWorkItemsd.exe
                                        FileVersion22.0.3.0
                                        CompanyName
                                        LegalTrademarks
                                        Comments
                                        ProductNameiiInfinityEngine Application
                                        ProductVersion22.0.3.0
                                        FileDescriptioniiInfinityEngine Application
                                        OriginalFilenameEnumerateQueuedWorkItemsd.exe

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        01/26/22-09:37:20.272699UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580288.8.8.8192.168.2.4
                                        01/26/22-09:37:28.793156UDP254DNS SPOOF query response with TTL of 1 min. and no authority53530978.8.8.8192.168.2.4
                                        01/26/22-09:37:35.309243UDP254DNS SPOOF query response with TTL of 1 min. and no authority53492578.8.8.8192.168.2.4
                                        01/26/22-09:38:00.114032UDP254DNS SPOOF query response with TTL of 1 min. and no authority53566218.8.8.8192.168.2.4
                                        01/26/22-09:38:19.365908UDP254DNS SPOOF query response with TTL of 1 min. and no authority53617218.8.8.8192.168.2.4
                                        01/26/22-09:38:24.484006UDP254DNS SPOOF query response with TTL of 1 min. and no authority53512558.8.8.8192.168.2.4

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 26, 2022 09:37:20.284939051 CET4977128289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:20.309189081 CET2828949771185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:20.985627890 CET4977128289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:21.010018110 CET2828949771185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:21.595035076 CET4977128289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:21.619411945 CET2828949771185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:28.809151888 CET4977228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:28.835051060 CET2828949772185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:29.487339020 CET4977228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:29.511679888 CET2828949772185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:30.095736027 CET4977228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:30.120399952 CET2828949772185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:35.438718081 CET4977528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:35.463648081 CET2828949775185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:36.011564016 CET4977528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:36.036777020 CET2828949775185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:36.721287012 CET4977528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:36.756702900 CET2828949775185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:45.345719099 CET4978228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:45.369750977 CET2828949782185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:45.987684011 CET4978228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:46.011650085 CET2828949782185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:46.597110987 CET4978228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:46.621114969 CET2828949782185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:53.208463907 CET4978528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:53.232434034 CET2828949785185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:53.816437960 CET4978528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:53.840488911 CET2828949785185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:54.504038095 CET4978528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:37:54.528040886 CET2828949785185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:37:58.171214104 CET49791587192.168.2.477.88.21.158
                                        Jan 26, 2022 09:37:58.240809917 CET5874979177.88.21.158192.168.2.4
                                        Jan 26, 2022 09:37:58.240943909 CET49791587192.168.2.477.88.21.158
                                        Jan 26, 2022 09:37:58.403897047 CET5874979177.88.21.158192.168.2.4
                                        Jan 26, 2022 09:37:58.404520035 CET49791587192.168.2.477.88.21.158
                                        Jan 26, 2022 09:37:58.473668098 CET5874979177.88.21.158192.168.2.4
                                        Jan 26, 2022 09:37:58.473753929 CET5874979177.88.21.158192.168.2.4
                                        Jan 26, 2022 09:37:58.474026918 CET49791587192.168.2.477.88.21.158
                                        Jan 26, 2022 09:37:58.520803928 CET49791587192.168.2.477.88.21.158
                                        Jan 26, 2022 09:37:58.543967009 CET5874979177.88.21.158192.168.2.4
                                        Jan 26, 2022 09:37:58.544141054 CET49791587192.168.2.477.88.21.158
                                        Jan 26, 2022 09:37:58.590092897 CET5874979177.88.21.158192.168.2.4
                                        Jan 26, 2022 09:37:58.590195894 CET49791587192.168.2.477.88.21.158
                                        Jan 26, 2022 09:38:00.120090008 CET4979428289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:00.144737005 CET2828949794185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:00.785784006 CET4979428289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:00.810064077 CET2828949794185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:01.395205021 CET4979428289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:01.419224977 CET2828949794185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:07.200850010 CET4981528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:07.225295067 CET2828949815185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:07.739521027 CET4981528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:07.765228033 CET2828949815185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:08.270811081 CET4981528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:08.295097113 CET2828949815185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:13.381500006 CET4982028289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:13.405689001 CET2828949820185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:13.911890030 CET4982028289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:13.936033964 CET2828949820185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:14.443311930 CET4982028289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:14.467354059 CET2828949820185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:19.369946003 CET4982228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:19.394294977 CET2828949822185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:19.896815062 CET4982228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:19.921241999 CET2828949822185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:20.428132057 CET4982228289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:20.452897072 CET2828949822185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:24.488524914 CET4982428289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:24.517618895 CET2828949824185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:25.131593943 CET4982428289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:25.155803919 CET2828949824185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:25.741022110 CET4982428289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:25.764976025 CET2828949824185.140.53.138192.168.2.4
                                        Jan 26, 2022 09:38:29.823460102 CET4982528289192.168.2.4185.140.53.138
                                        Jan 26, 2022 09:38:29.847364902 CET2828949825185.140.53.138192.168.2.4

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 26, 2022 09:37:20.251436949 CET5802853192.168.2.48.8.8.8
                                        Jan 26, 2022 09:37:20.272699118 CET53580288.8.8.8192.168.2.4
                                        Jan 26, 2022 09:37:28.772248030 CET5309753192.168.2.48.8.8.8
                                        Jan 26, 2022 09:37:28.793155909 CET53530978.8.8.8192.168.2.4
                                        Jan 26, 2022 09:37:35.287247896 CET4925753192.168.2.48.8.8.8
                                        Jan 26, 2022 09:37:35.309242964 CET53492578.8.8.8192.168.2.4
                                        Jan 26, 2022 09:37:45.305258989 CET4991053192.168.2.48.8.8.8
                                        Jan 26, 2022 09:37:45.326595068 CET53499108.8.8.8192.168.2.4
                                        Jan 26, 2022 09:37:53.186959028 CET6454953192.168.2.48.8.8.8
                                        Jan 26, 2022 09:37:53.206617117 CET53645498.8.8.8192.168.2.4
                                        Jan 26, 2022 09:37:58.129935980 CET5653453192.168.2.48.8.8.8
                                        Jan 26, 2022 09:37:58.150065899 CET53565348.8.8.8192.168.2.4
                                        Jan 26, 2022 09:38:00.092590094 CET5662153192.168.2.48.8.8.8
                                        Jan 26, 2022 09:38:00.114032030 CET53566218.8.8.8192.168.2.4
                                        Jan 26, 2022 09:38:07.134366989 CET6407853192.168.2.48.8.8.8
                                        Jan 26, 2022 09:38:07.152343035 CET53640788.8.8.8192.168.2.4
                                        Jan 26, 2022 09:38:13.343151093 CET6480153192.168.2.48.8.8.8
                                        Jan 26, 2022 09:38:13.362807989 CET53648018.8.8.8192.168.2.4
                                        Jan 26, 2022 09:38:19.346575975 CET6172153192.168.2.48.8.8.8
                                        Jan 26, 2022 09:38:19.365907907 CET53617218.8.8.8192.168.2.4
                                        Jan 26, 2022 09:38:24.461409092 CET5125553192.168.2.48.8.8.8
                                        Jan 26, 2022 09:38:24.484005928 CET53512558.8.8.8192.168.2.4
                                        Jan 26, 2022 09:38:29.803133965 CET6152253192.168.2.48.8.8.8
                                        Jan 26, 2022 09:38:29.822896957 CET53615228.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Jan 26, 2022 09:37:20.251436949 CET192.168.2.48.8.8.80xa9ceStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:28.772248030 CET192.168.2.48.8.8.80x55dStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:35.287247896 CET192.168.2.48.8.8.80x714dStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:45.305258989 CET192.168.2.48.8.8.80xbd6cStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:53.186959028 CET192.168.2.48.8.8.80xbc91Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:58.129935980 CET192.168.2.48.8.8.80x6b0fStandard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:00.092590094 CET192.168.2.48.8.8.80x3bbbStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:07.134366989 CET192.168.2.48.8.8.80x15c8Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:13.343151093 CET192.168.2.48.8.8.80xe257Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:19.346575975 CET192.168.2.48.8.8.80xfcc7Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:24.461409092 CET192.168.2.48.8.8.80x49cStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:29.803133965 CET192.168.2.48.8.8.80x3024Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Jan 26, 2022 09:37:20.272699118 CET8.8.8.8192.168.2.40xa9ceNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:28.793155909 CET8.8.8.8192.168.2.40x55dNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:35.309242964 CET8.8.8.8192.168.2.40x714dNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:45.326595068 CET8.8.8.8192.168.2.40xbd6cNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:53.206617117 CET8.8.8.8192.168.2.40xbc91No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:37:58.150065899 CET8.8.8.8192.168.2.40x6b0fNo error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                        Jan 26, 2022 09:37:58.150065899 CET8.8.8.8192.168.2.40x6b0fNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:00.114032030 CET8.8.8.8192.168.2.40x3bbbNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:07.152343035 CET8.8.8.8192.168.2.40x15c8No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:13.362807989 CET8.8.8.8192.168.2.40xe257No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:19.365907907 CET8.8.8.8192.168.2.40xfcc7No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:24.484005928 CET8.8.8.8192.168.2.40x49cNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                        Jan 26, 2022 09:38:29.822896957 CET8.8.8.8192.168.2.40x3024No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)

                                        SMTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Jan 26, 2022 09:37:58.403897047 CET5874979177.88.21.158192.168.2.4220 sas2-34ddad429748.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1643186278-2XpDuhdd9g-bwHijw0x
                                        Jan 26, 2022 09:37:58.404520035 CET49791587192.168.2.477.88.21.158EHLO 928100
                                        Jan 26, 2022 09:37:58.473753929 CET5874979177.88.21.158192.168.2.4250-sas2-34ddad429748.qloud-c.yandex.net
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-SIZE 53477376
                                        250-STARTTLS
                                        250-AUTH LOGIN PLAIN XOAUTH2
                                        250-DSN
                                        250 ENHANCEDSTATUSCODES
                                        Jan 26, 2022 09:37:58.474026918 CET49791587192.168.2.477.88.21.158STARTTLS
                                        Jan 26, 2022 09:37:58.543967009 CET5874979177.88.21.158192.168.2.4220 Go ahead

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:09:36:12
                                        Start date:26/01/2022
                                        Path:C:\Users\user\Desktop\Order Sheet.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Order Sheet.exe"
                                        Imagebase:0x720000
                                        File size:1601024 bytes
                                        MD5 hash:8AA38313A97D72B6D14B4D067F125086
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.784669508.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.785591112.0000000003D59000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.786336359.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        General

                                        Target ID:7
                                        Start time:09:36:55
                                        Start date:26/01/2022
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Sheet.exe
                                        Imagebase:0x7ff732050000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Target ID:8
                                        Start time:09:36:56
                                        Start date:26/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:9
                                        Start time:09:36:57
                                        Start date:26/01/2022
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nXyTfXBfrv.exe
                                        Imagebase:0x1d0000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Target ID:10
                                        Start time:09:36:57
                                        Start date:26/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:11
                                        Start time:09:36:58
                                        Start date:26/01/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXyTfXBfrv" /XML "C:\Users\user\AppData\Local\Temp\tmp87D8.tmp
                                        Imagebase:0xc60000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:12
                                        Start time:09:36:59
                                        Start date:26/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:13
                                        Start time:09:37:01
                                        Start date:26/01/2022
                                        Path:C:\Users\user\Desktop\Order Sheet.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\Order Sheet.exe
                                        Imagebase:0x710000
                                        File size:1601024 bytes
                                        MD5 hash:8AA38313A97D72B6D14B4D067F125086
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Visual Basic
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.788250788.0000000003556000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000003.788376076.000000000106F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.778355649.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.777156532.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.794132877.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.791041172.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        General

                                        Target ID:15
                                        Start time:09:37:08
                                        Start date:26/01/2022
                                        Path:C:\Users\user\AppData\Local\Temp\host process.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\host process.exe" 0
                                        Imagebase:0x700000
                                        File size:207360 bytes
                                        MD5 hash:042FA6CD64D8F55F1405D130E306E47A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.785845413.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.786290846.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.785282794.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.941244676.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.942025681.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.934558154.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.941790490.0000000005270000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.941790490.0000000005270000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.786907867.0000000000702000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 100%, ReversingLabs
                                        Reputation:low

                                        General

                                        Target ID:16
                                        Start time:09:37:10
                                        Start date:26/01/2022
                                        Path:C:\Users\user\AppData\Local\Temp\O.stub.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
                                        Imagebase:0xa10000
                                        File size:283136 bytes
                                        MD5 hash:69709CD1D2019B22E72550ABE3AEF9D7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.790298908.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.934638725.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.789340353.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.790790305.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.940720707.000000000315C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.940720707.000000000315C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.789744754.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\O.stub.exe, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 56%, Metadefender, Browse
                                        • Detection: 86%, ReversingLabs
                                        Reputation:low

                                        General

                                        Target ID:17
                                        Start time:09:37:24
                                        Start date:26/01/2022
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                        Imagebase:0x6f0000
                                        File size:207360 bytes
                                        MD5 hash:042FA6CD64D8F55F1405D130E306E47A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.819202402.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.839950628.0000000003E11000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.839877068.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.839063926.00000000006F2000.00000002.00000001.01000000.00000007.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 100%, ReversingLabs
                                        Reputation:low

                                        Disassembly

                                        No disassembly