Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Specification.exe

Overview

General Information

Sample Name:Order Specification.exe
Analysis ID:560231
MD5:0484c885885e6b4635cf330d72eaba9a
SHA1:86ed8ae352598ba36d7b58ceba43a81773ab0bb9
SHA256:762aa095e3249e971c9b8ed7b0bf6489648db9a61496112ff237d6120f3e092b
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for dropped file
Yara detected Nanocore RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Sigma detected: Suspicius Add Task From User AppData Temp
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Yara detected Credential Stealer
Contains functionality to call native functions
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Order Specification.exe (PID: 4232 cmdline: "C:\Users\user\Desktop\Order Specification.exe" MD5: 0484C885885E6B4635CF330D72EABA9A)
    • powershell.exe (PID: 6828 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4404 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6948 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Order Specification.exe (PID: 4636 cmdline: C:\Users\user\Desktop\Order Specification.exe MD5: 0484C885885E6B4635CF330D72EABA9A)
      • host process.exe (PID: 7004 cmdline: "C:\Users\user\AppData\Local\Temp\host process.exe" 0 MD5: 042FA6CD64D8F55F1405D130E306E47A)
      • O.stub.exe (PID: 6424 cmdline: "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0 MD5: 69709CD1D2019B22E72550ABE3AEF9D7)
  • dhcpmon.exe (PID: 2060 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 042FA6CD64D8F55F1405D130E306E47A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\O.stub.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\host process.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Users\user\AppData\Local\Temp\host process.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Users\user\AppData\Local\Temp\host process.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Users\user\AppData\Local\Temp\host process.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfcf5:$a: NanoCore
          • 0xfd05:$a: NanoCore
          • 0xff39:$a: NanoCore
          • 0xff4d:$a: NanoCore
          • 0xff8d:$a: NanoCore
          • 0xfd54:$b: ClientPlugin
          • 0xff56:$b: ClientPlugin
          • 0xff96:$b: ClientPlugin
          • 0xfe7b:$c: ProjectData
          • 0x10882:$d: DESCrypto
          • 0x1824e:$e: KeepAlive
          • 0x1623c:$g: LogClientMessage
          • 0x12437:$i: get_Connected
          • 0x10bb8:$j: #=q
          • 0x10be8:$j: #=q
          • 0x10c04:$j: #=q
          • 0x10c34:$j: #=q
          • 0x10c50:$j: #=q
          • 0x10c6c:$j: #=q
          • 0x10c9c:$j: #=q
          • 0x10cb8:$j: #=q
          00000011.00000002.557825125.0000000000FD2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 78 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Order Specification.exe.378baef.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            2.2.Order Specification.exe.378baef.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xe105:$x1: NanoCore Client.exe
            • 0xe38d:$x2: NanoCore.ClientPluginHost
            • 0xf9c6:$s1: PluginCommand
            • 0xf9ba:$s2: FileCommand
            • 0x1086b:$s3: PipeExists
            • 0x16622:$s4: PipeCreated
            • 0xe3b7:$s5: IClientLoggingHost
            2.2.Order Specification.exe.378baef.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              2.2.Order Specification.exe.378baef.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xe0f5:$a: NanoCore
              • 0xe105:$a: NanoCore
              • 0xe339:$a: NanoCore
              • 0xe34d:$a: NanoCore
              • 0xe38d:$a: NanoCore
              • 0xe154:$b: ClientPlugin
              • 0xe356:$b: ClientPlugin
              • 0xe396:$b: ClientPlugin
              • 0xe27b:$c: ProjectData
              • 0xec82:$d: DESCrypto
              • 0x1664e:$e: KeepAlive
              • 0x1463c:$g: LogClientMessage
              • 0x10837:$i: get_Connected
              • 0xefb8:$j: #=q
              • 0xefe8:$j: #=q
              • 0xf004:$j: #=q
              • 0xf034:$j: #=q
              • 0xf050:$j: #=q
              • 0xf06c:$j: #=q
              • 0xf09c:$j: #=q
              • 0xf0b8:$j: #=q
              23.2.dhcpmon.exe.38095ee.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0xe75:$x1: NanoCore.ClientPluginHost
              • 0x145e3:$x1: NanoCore.ClientPluginHost
              • 0x2d0af:$x1: NanoCore.ClientPluginHost
              • 0xe8f:$x2: IClientNetworkHost
              • 0x14610:$x2: IClientNetworkHost
              • 0x2d0dc:$x2: IClientNetworkHost
              Click to see the 173 entries

              Sigma Overview

              AV Detection

              barindex
              Sigma detected: NanoCore
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              E-Banking Fraud

              barindex
              Sigma detected: NanoCore
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              System Summary

              barindex
              Sigma detected: Suspicius Add Task From User AppData Temp
              Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Specification.exe" , ParentImage: C:\Users\user\Desktop\Order Specification.exe, ParentProcessId: 4232, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp, ProcessId: 6948
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Specification.exe" , ParentImage: C:\Users\user\Desktop\Order Specification.exe, ParentProcessId: 4232, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, ProcessId: 6828
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\O.stub.exe, Initiated: true, ProcessId: 6424, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49798
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Specification.exe" , ParentImage: C:\Users\user\Desktop\Order Specification.exe, ParentProcessId: 4232, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, ProcessId: 6828
              Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132876925237602286.6828.DefaultAppDomain.powershell

              Stealing of Sensitive Information

              barindex
              Sigma detected: NanoCore
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Remote Access Functionality

              barindex
              Sigma detected: NanoCore
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
              Source: C:\Users\user\AppData\Local\Temp\host process.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeAvira: detection malicious, Label: TR/Spy.Gen8
              Yara detected Nanocore RAT
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
              Multi AV Scanner detection for dropped file
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 79%Perma Link
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeVirustotal: Detection: 60%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeMetadefender: Detection: 55%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeReversingLabs: Detection: 85%
              Source: C:\Users\user\AppData\Local\Temp\host process.exeVirustotal: Detection: 79%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\host process.exeReversingLabs: Detection: 100%
              Source: C:\Users\user\AppData\Roaming\hSoFri.exeReversingLabs: Detection: 16%
              Machine Learning detection for sample
              Source: Order Specification.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\host process.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\hSoFri.exeJoe Sandbox ML: detected
              Source: 16.0.host process.exe.90000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 14.2.Order Specification.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 23.2.dhcpmon.exe.100000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 14.0.Order Specification.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
              Source: 14.0.Order Specification.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.Order Specification.exe.3789930.3.unpackAvira: Label: TR/Dropper.Gen
              Source: 16.2.host process.exe.90000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 16.0.host process.exe.90000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 16.2.host process.exe.4ff0000.8.unpackAvira: Label: TR/NanoCore.fadte
              Source: 16.0.host process.exe.90000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 2.2.Order Specification.exe.3dcec00.5.unpackAvira: Label: TR/Dropper.Gen
              Source: 14.0.Order Specification.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
              Source: 14.0.Order Specification.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
              Source: 23.0.dhcpmon.exe.100000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 16.0.host process.exe.90000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: Order Specification.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: Order Specification.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: host process.exe, 00000010.00000002.559630624.0000000002405000.00000004.00000020.00020000.00000000.sdmp

              Networking

              barindex
              Uses dynamic DNS services
              Source: unknownDNS query: name: timmy13.ddns.net
              Source: global trafficTCP traffic: 192.168.2.3:49750 -> 185.140.53.138:28289
              Source: global trafficTCP traffic: 192.168.2.3:49798 -> 77.88.21.158:587
              Source: global trafficTCP traffic: 192.168.2.3:49798 -> 77.88.21.158:587
              Source: O.stub.exe, 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://MSN1yB6AgP4w05v9.net
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: unknownDNS traffic detected: queries for: timmy13.ddns.net

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\O.stub.exe
              Source: host process.exe, 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

              E-Banking Fraud

              barindex
              Yara detected Nanocore RAT
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.4ac0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.27617c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.27e3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00DFC1A4
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00DFE5F0
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00DFE5E3
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0009524A
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_04883850
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_04888938
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0488B208
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_04882FA8
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_048823A0
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0488306F
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_048895FF
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_04889538
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BD208
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059B0007
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BE8D8
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BEC9B
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BDEBB
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BECA8
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BDA53
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BE8CB
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BDE4A
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BD1FB
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_0666CA58
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_06660070
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_0666C850
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_06666CB7
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_06660F7B
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_06660016
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_0010524A
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_048F2FA8
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_048F23A0
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_048F3850
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_048F306F
              Source: Order Specification.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: hSoFri.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Order Specification.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.4ac0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.4ac0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.27617c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.27617c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.27e3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.27e3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B1AA6 NtQuerySystemInformation,
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B1A6B NtQuerySystemInformation,
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030BB362 NtQuerySystemInformation,
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030BB331 NtQuerySystemInformation,
              Source: Order Specification.exe, 00000002.00000002.394949704.00000000004B5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCompareOptio.exeZ vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.409202104.0000000007530000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Order Specification.exe
              Source: Order Specification.exe, 0000000E.00000000.387851983.0000000001135000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCompareOptio.exeZ vs Order Specification.exe
              Source: Order Specification.exe, 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Specification.exe
              Source: Order Specification.exe, 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Order Specification.exe
              Source: Order Specification.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: hSoFri.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: host process.exe.14.drStatic PE information: Section: .rsrc ZLIB complexity 0.999575892857
              Source: Order Specification.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Order Specification.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Roaming\hSoFri.exeJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/15@15/3
              Source: C:\Users\user\Desktop\Order Specification.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile created: C:\Program Files (x86)\DHCP Monitor
              Source: C:\Users\user\Desktop\Order Specification.exeFile read: C:\Users\user\Desktop\Order Specification.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\Order Specification.exe "C:\Users\user\Desktop\Order Specification.exe"
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\Desktop\Order Specification.exe C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
              Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\Desktop\Order Specification.exe C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
              Source: C:\Users\user\Desktop\Order Specification.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B1866 AdjustTokenPrivileges,
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B182F AdjustTokenPrivileges,
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030BB1E6 AdjustTokenPrivileges,
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030BB1AF AdjustTokenPrivileges,
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAB8A.tmpJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Order Specification.exeMutant created: \Sessions\1\BaseNamedObjects\ykYhkkiXIsZBHvktpXG
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
              Source: C:\Users\user\AppData\Local\Temp\host process.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{964a90aa-b121-4650-948b-3135f4e12fbc}
              Source: host process.exe.14.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: host process.exe.14.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: host process.exe.14.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\Order Specification.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: Order Specification.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: Order Specification.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Order Specification.exeStatic file information: File size 1590272 > 1048576
              Source: Order Specification.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x119e00
              Source: Order Specification.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: host process.exe, 00000010.00000002.559630624.0000000002405000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: Order Specification.exe, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: hSoFri.exe.2.dr, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.Order Specification.exe.330000.0.unpack, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.Order Specification.exe.330000.0.unpack, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: host process.exe.14.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: host process.exe.14.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00334609 push es; retf 0005h
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00334AD4 push es; retf 0005h
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00334AD4 push es; retf
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 14_2_00FB4AD4 push es; retf 0005h
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 14_2_00FB4AD4 push es; retf
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 14_2_00FB4609 push es; retf 0005h
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772875 push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772DF1 push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772DFD push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_007728E1 push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772F60 push eax; ret
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772D6C push ecx; ret
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772D91 push eax; ret
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772D84 push ecx; ret
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0077288D push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD5888 push ds; retf
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD8086 push cs; retf
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FDA431 pushfd ; iretd
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD9FC6 push 00000041h; retf
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD9D8C push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD8B6D push edi; iretd
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD8766 push ds; retf
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FDA74E push edi; retf
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B3331 push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B2768 push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B2FD0 push eax; ret
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B2FE8 push eax; ret
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B2DE4 push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B303C push ecx; ret
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B3048 push ecx; ret
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B324D push edi; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.72216008471
              Source: initial sampleStatic PE information: section name: .text entropy: 7.72216008471
              Source: host process.exe.14.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: host process.exe.14.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Local\Temp\O.stub.exeJump to dropped file
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Roaming\hSoFri.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Local\Temp\host process.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Users\user\AppData\Local\Temp\host process.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: 2.2.Order Specification.exe.27cdad4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFunction Chain: threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,processSet,processSet,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\Order Specification.exe TID: 6656Thread sleep time: -39709s >= -30000s
              Source: C:\Users\user\Desktop\Order Specification.exe TID: 4716Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6328Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2228Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6816Thread sleep count: 7303 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 400Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep count: 1209 > 30
              Source: C:\Users\user\AppData\Local\Temp\host process.exe TID: 6612Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 6056Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 6056Thread sleep count: 230 > 30
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 6056Thread sleep time: -6900000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 6056Thread sleep time: -60000s >= -30000s
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5180Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\host process.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Order Specification.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\host process.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4285
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 631
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7303
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1209
              Source: C:\Users\user\AppData\Local\Temp\host process.exeWindow / User API: foregroundWindowGot 495
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Order Specification.exeThread delayed: delay time: 39709
              Source: C:\Users\user\Desktop\Order Specification.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\host process.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 30000
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 30000
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B158E GetSystemInfo,
              Source: C:\Users\user\Desktop\Order Specification.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_0666E108 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\Order Specification.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\Desktop\Order Specification.exe C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
              Source: host process.exe, 00000010.00000002.559742807.00000000027DF000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 00000010.00000002.560071441.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 00000010.00000002.559889527.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 00000010.00000002.559876304.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 00000010.00000002.559812533.0000000002847000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Users\user\Desktop\Order Specification.exe VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.14.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.435c11.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.14.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.O.stub.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.435c11.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.557825125.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.409221651.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.407162956.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.408484017.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.408885887.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6424, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\O.stub.exe, type: DROPPED
              Yara detected Nanocore RAT
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: Yara matchFile source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6424, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.14.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.435c11.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.14.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.O.stub.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.435c11.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.557825125.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.409221651.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.407162956.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.408484017.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.408885887.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6424, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\O.stub.exe, type: DROPPED
              Detected Nanocore Rat
              Source: Order Specification.exe, 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: Order Specification.exe, 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: Order Specification.exe, 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exeString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.559647777.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.559647777.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: host process.exe, 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: host process.exe, 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: dhcpmon.exe, 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Yara detected Nanocore RAT
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B2AB2 bind,
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B2A60 bind,

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		1
              Access Token Manipulation              		21
              Disable or Modify Tools              		2
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Native API              		Boot or Logon Initialization Scripts12
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		115
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Scheduled Task/Job              		Logon Script (Windows)1
              Scheduled Task/Job              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		311
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Remote Access Software              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)14
              Software Packing              		NTDS2
              Process Discovery              		Distributed Component Object Model111
              Input Capture              		Scheduled Transfer1
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Masquerading              		LSA Secrets131
              Virtualization/Sandbox Evasion              		SSHKeyloggingData Transfer Size Limits111
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common131
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job12
              Process Injection              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
              Hidden Files and Directories              		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 560231 Sample: Order Specification.exe Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 55 timmy13.ddns.net 2->55 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for dropped file 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 15 other signatures 2->71 8 Order Specification.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\hSoFri.exe, PE32 8->37 dropped 39 C:\Users\user\...\hSoFri.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpAB8A.tmp, XML 8->41 dropped 43 C:\Users\user\...\Order Specification.exe.log, ASCII 8->43 dropped 73 Adds a directory exclusion to Windows Defender 8->73 14 Order Specification.exe 8->14         started        18 powershell.exe 24 8->18         started        20 powershell.exe 25 8->20         started        22 schtasks.exe 8->22         started        45 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 12->45 dropped signatures6 process7 dnsIp8 63 192.168.2.1 unknown unknown 14->63 51 C:\Users\user\AppData\...\host process.exe, PE32 14->51 dropped 53 C:\Users\user\AppData\Local\Temp\O.stub.exe, PE32 14->53 dropped 24 O.stub.exe 14->24         started        28 host process.exe 14->28         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        file9 process10 dnsIp11 57 smtp.yandex.ru 77.88.21.158, 49798, 587 YANDEXRU Russian Federation 24->57 59 smtp.yandex.com 24->59 75 Antivirus detection for dropped file 24->75 77 Multi AV Scanner detection for dropped file 24->77 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->79 83 8 other signatures 24->83 61 timmy13.ddns.net 185.140.53.138, 28289, 49750, 49753 DAVID_CRAIGGG Sweden 28->61 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 28->47 dropped 49 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 28->49 dropped 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->81 file12 signatures13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Order Specification.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
              C:\Users\user\AppData\Local\Temp\host process.exe100%AviraTR/Dropper.MSIL.Gen7
              C:\Users\user\AppData\Local\Temp\O.stub.exe100%AviraTR/Spy.Gen8
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\host process.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\O.stub.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\hSoFri.exe100%Joe Sandbox ML
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe79%VirustotalBrowse
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
              C:\Users\user\AppData\Local\Temp\O.stub.exe61%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\O.stub.exe56%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\O.stub.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              C:\Users\user\AppData\Local\Temp\host process.exe79%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\host process.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
              C:\Users\user\AppData\Roaming\hSoFri.exe16%ReversingLabsWin32.Trojan.Woreflint

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              16.0.host process.exe.90000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              14.2.Order Specification.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              23.2.dhcpmon.exe.100000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              14.0.Order Specification.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
              14.0.Order Specification.exe.400000.8.unpack100%AviraTR/Dropper.GenDownload File
              2.2.Order Specification.exe.3789930.3.unpack100%AviraTR/Dropper.GenDownload File
              16.2.host process.exe.90000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              17.0.O.stub.exe.fd0000.3.unpack100%AviraHEUR/AGEN.1138205Download File
              17.0.O.stub.exe.fd0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
              16.0.host process.exe.90000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              16.2.host process.exe.4ff0000.8.unpack100%AviraTR/NanoCore.fadteDownload File
              16.0.host process.exe.90000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              17.0.O.stub.exe.fd0000.1.unpack100%AviraHEUR/AGEN.1138205Download File
              2.2.Order Specification.exe.3dcec00.5.unpack100%AviraTR/Dropper.GenDownload File
              14.0.Order Specification.exe.400000.12.unpack100%AviraTR/Dropper.GenDownload File
              14.0.Order Specification.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
              23.0.dhcpmon.exe.100000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              16.0.host process.exe.90000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              17.2.O.stub.exe.fd0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
              17.0.O.stub.exe.fd0000.2.unpack100%AviraHEUR/AGEN.1138205Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://MSN1yB6AgP4w05v9.net0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              timmy13.ddns.net
              		185.140.53.138
              		truefalse
                		high
                smtp.yandex.ru
                		77.88.21.158
                		truefalse
                  		high
                  smtp.yandex.com
                  		unknown
                  		unknownfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.tiro.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fonts.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://MSN1yB6AgP4w05v9.netO.stub.exe, 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          77.88.21.158
                                          		smtp.yandex.ruRussian Federation
                                          		13238YANDEXRUfalse
                                          185.140.53.138
                                          		timmy13.ddns.netSweden
                                          		209623DAVID_CRAIGGGfalse

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:560231
                                          Start date:26.01.2022
                                          Start time:09:40:28
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 14m 25s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:Order Specification.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:30
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@17/15@15/3
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 4.8% (good quality ratio 2.8%)
                                          • Quality average: 29.8%
                                          • Quality standard deviation: 28.8%
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:41:47API Interceptor2x Sleep call for process: Order Specification.exe modified
                                          09:42:06API Interceptor78x Sleep call for process: powershell.exe modified
                                          09:42:22API Interceptor489x Sleep call for process: host process.exe modified
                                          09:42:27AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          09:42:37API Interceptor373x Sleep call for process: O.stub.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\host process.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):207360
                                          Entropy (8bit):7.448972782235035
                                          Encrypted:false
                                          SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIXquGTziui+IOIB3089u1L5WUb:gLV6Bta6dtJmakIM5jNilOIW8uxb
                                          MD5:042FA6CD64D8F55F1405D130E306E47A
                                          SHA1:C7D7DE4600FEB4953D05674F862D992B03E7F44B
                                          SHA-256:5932288E5C5EF8EDA3E5B63D7E0734123E533FEDCF861A72822004C549606F52
                                          SHA-512:E5ADD4BB755E59A9244605352612125B026CFAE84118F315594D960359A4795F973A5D9D5B4769FA0A57B607EE075367BA11D209CC6985E931EDDAF531343283
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Virustotal, Detection: 79%, Browse
                                          • Antivirus: ReversingLabs, Detection: 100%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

                                          Download File
                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):0
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                          MD5:61CCF53571C9ABA6511D696CB0D32E45
                                          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Specification.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):22320
                                          Entropy (8bit):5.602295366370523
                                          Encrypted:false
                                          SSDEEP:384:utCD59q0H9h5jM7kXRngSBKn4jultIi3zY9gFSJ3x6T1MaPZlbAV7VWwm5ZBDI+S:fqk5g4K4Clt9LFcACOfwIVQ
                                          MD5:56D65B81BCA3D13EF462EE79DDD45A01
                                          SHA1:B2028A764FFE8032980B30AAF47693DDAFA0E18A
                                          SHA-256:61D13A9F1A04202A2E8F9A24DFD2E5E7F65E45E7F5D2D8BD62CB591FD61700D8
                                          SHA-512:8342A4FA8C24A3DA6A7F08D2C92340AEB83174663C74EEE2BFFD1F4C51C92398FF79CA9580597531BBBA110CF3C13266EC3956185B01945A676D66019A8E7F84
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:@...e...................e.............c...F..........@..........H...............<@.^.L."My...:U..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                          C:\Users\user\AppData\Local\Temp\O.stub.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):283136
                                          Entropy (8bit):6.583518106694022
                                          Encrypted:false
                                          SSDEEP:3072:48lUfsVrpgVIRckQkPIQBoczsDnW+xtUpYslLR8o5s9ODfa8CKeZp/YUNRnoFd18:48lZgPlhKYc2K+p/YUk1wP6D
                                          MD5:69709CD1D2019B22E72550ABE3AEF9D7
                                          SHA1:D82D111D5ECB7E2D4DA56C40E9B6EFB409C90243
                                          SHA-256:B1C71A6054350653138D7C6D9E501DC09E79BCDFD5FECD4F29461B7CA7DA23A4
                                          SHA-512:5268D185A569FC35CE5761B47713A9D94018A9EA7C9C42EE5942A13722C8D460C3D7760996F21604AA188C24C17EA64DF516D261A73E2BCE5FD75FCBABF83861
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\O.stub.exe, Author: Joe Security
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Virustotal, Detection: 61%, Browse
                                          • Antivirus: Metadefender, Detection: 56%, Browse
                                          • Antivirus: ReversingLabs, Detection: 86%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ul.^.................J...........i... ........@.. ....................................@..................................i..W....... ............................................................................ ............... ..H............text....I... ...J.................. ..`.rsrc... ............L..............@..@.reloc...............P..............@..B.................i......H..................L............................................................q;.SfQ.k..g.2&.0..W.a..JaAN'nG.2N.. .....e..@N.J......@...DG9.....j...GSENaO.p..u..2.. q4......7...U...]..].h7C2..H.{4.o0:.W.c...C.II*.3Mr........W.&F~5...J.r6IG{X..X.d..P..F...0........8GCU.}.r`...._.a.N..0vDjVG..6.9.3.\. ....8....5_X....`.B;.N....N....S_p..em,Rc.9.4_*5..p..kOPulz-.~..@........v.#K...c......p&X..K..> rH.Ra...$l.j4.n.."J.S.:..p6.)w...k.@".c..6..G...Ok.w...4....

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kvlulay.32q.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blubydqo.5ld.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1rs4zxr.1pe.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4ak4e4o.yw3.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\host process.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):207360
                                          Entropy (8bit):7.448972782235035
                                          Encrypted:false
                                          SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIXquGTziui+IOIB3089u1L5WUb:gLV6Bta6dtJmakIM5jNilOIW8uxb
                                          MD5:042FA6CD64D8F55F1405D130E306E47A
                                          SHA1:C7D7DE4600FEB4953D05674F862D992B03E7F44B
                                          SHA-256:5932288E5C5EF8EDA3E5B63D7E0734123E533FEDCF861A72822004C549606F52
                                          SHA-512:E5ADD4BB755E59A9244605352612125B026CFAE84118F315594D960359A4795F973A5D9D5B4769FA0A57B607EE075367BA11D209CC6985E931EDDAF531343283
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Virustotal, Detection: 79%, Browse
                                          • Antivirus: ReversingLabs, Detection: 100%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                          C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1593
                                          Entropy (8bit):5.141768339977495
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtKsxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTvv
                                          MD5:037A61002A275FED53876DF0D9F642CC
                                          SHA1:108031CCE5F1F70B78C79DED404B7289F1050EFA
                                          SHA-256:54F25AE17434ED38BEE93878B8325F59A3668869BBFC788583A059F72F6C7D6E
                                          SHA-512:BA880318798540C1603B54CB6A8C9FF3FE30975E571E84A2F9442CA325699CD1B80439F496C750F25DCF164008F94A8B43C1E6F19230FB2573FEB42D78899133
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\host process.exe
                                          File Type:ISO-8859 text, with no line terminators
                                          Category:dropped
                                          Size (bytes):8
                                          Entropy (8bit):3.0
                                          Encrypted:false
                                          SSDEEP:3:K/t:K/t
                                          MD5:7B01808876B71D5563C569BDB68ECBF0
                                          SHA1:91EBD369B216066E48E6CCD9C36A28CB7BBF5E24
                                          SHA-256:C0A3A593E0BF36CB3F38F7304189314A47335BC416E970307DEF03F341DE850B
                                          SHA-512:4FAE226A384554086A08DA7EDAD73FECBBCA07F8EB1B909EE94BD3F1C8142631460DA31B76195F650ABF20411AEA830E8F36A0E1F9A2107F3FA89F9EEFF679FA
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:@..4...H

                                          C:\Users\user\AppData\Roaming\hSoFri.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):1590272
                                          Entropy (8bit):6.940071765645881
                                          Encrypted:false
                                          SSDEEP:24576:M0KeYYX4u9x1MbMMwqG2whjg5SithktIhbeArHmNH/GsEp:M83x1MIpZ2wWSgb5rHmNf5
                                          MD5:0484C885885E6B4635CF330D72EABA9A
                                          SHA1:86ED8AE352598BA36D7B58CEBA43A81773AB0BB9
                                          SHA-256:762AA095E3249E971C9B8ED7B0BF6489648DB9A61496112FF237D6120F3E092B
                                          SHA-512:E3BFC22DDB3D4448AD0455E3B8541BB2AEC65D488AB5D9A97A5F3E9C8CB661495BFD94AFB91192092BCC14921C5A20F3B458E1A62B3211A554E5D38F34D10BF2
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 16%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ........@.. ....................................@.....................................O................................................................................... ............... ..H............text...P.... ...................... ..`.rsrc..............................@..@.reloc...............B..............@..B.......................H.......<...\............... &...........................................0..G........r...p.......,..r...ps....z...(....(...........r...p.o....(....s....z.*..........-.......0..o........s......s......~..........(.........o.........,..(.......o ......*...rW..p..o....(....(!..........,..o".......*..(.......-..........4B..........Za.......0..o........s#........o$....s%......+......J...r...p(&...o'...&...X....i......-..o(.......&.r...p(!..........,..o".......*.........GO..........

                                          C:\Users\user\AppData\Roaming\hSoFri.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\Users\user\Documents\20220126\PowerShell_transcript.468325.8p2M1yq6.20220126094207.txt

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):5773
                                          Entropy (8bit):5.391356208223318
                                          Encrypted:false
                                          SSDEEP:96:BZGh0NDqDo1ZJZoh0NDqDo1ZQUycjZvh0NDqDo1ZrRMMZZq:L
                                          MD5:4A3328A227A57BB90B22780BCF60740B
                                          SHA1:1176B172DE936EA36D1D263FB1E175E6E4EB87E4
                                          SHA-256:50DAF7185A8E0BE02C81755127A9FEA05F8275699E86E4828D1AB61FB8F0F61B
                                          SHA-512:B966D850C4668C140817E2561F5F00526D7A39ED522F68B8C3098AE5EBFE8D54E262F8E227362DE047DDA455A54CAEC315A43B3E223C847C2895B52391956918
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126094208..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\hSoFri.exe..Process ID: 4404..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220126094208..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\hSoFri.exe..**********************..Windows PowerShell transcript start..Start time: 20220126094606..Username: computer\user..RunAs User: computer\user..Confi

                                          C:\Users\user\Documents\20220126\PowerShell_transcript.468325.QpGQnXV1.20220126094205.txt

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3558
                                          Entropy (8bit):5.307359393941608
                                          Encrypted:false
                                          SSDEEP:96:BZwPh0NhqDo1ZSVgZdh0NhqDo1ZKqk10c10c10QZy:jRR0
                                          MD5:BE2FEB404409EB32D98953C5985A64D5
                                          SHA1:9A4DEC1A870A0F41E2E1B72E12A641128754D3F4
                                          SHA-256:AC2279268C7FDD3DA9C77C9D09C0CDF76F3381B97CC47F897A4EADA64AE85C97
                                          SHA-512:6BB027514F72D59AAD6E7F0C4451F2760EA9A5E1B352E57D41EF2F0333789117F25432B84273E7BE4BA740FE2C699EEF5BC3416D3A38991FB5D59ED134DCA376
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126094206..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Order Specification.exe..Process ID: 6828..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220126094206..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Order Specification.exe..**********************..Command start time: 20220126094525..**********************..PS>TerminatingError(Add-MpPreference): "A positional parameter canno

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.940071765645881
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:Order Specification.exe
                                          File size:1590272
                                          MD5:0484c885885e6b4635cf330d72eaba9a
                                          SHA1:86ed8ae352598ba36d7b58ceba43a81773ab0bb9
                                          SHA256:762aa095e3249e971c9b8ed7b0bf6489648db9a61496112ff237d6120f3e092b
                                          SHA512:e3bfc22ddb3d4448ad0455e3b8541bb2aec65d488ab5d9a97a5f3e9c8cb661495bfd94afb91192092bcc14921c5a20f3b458e1a62b3211a554e5d38f34d10bf2
                                          SSDEEP:24576:M0KeYYX4u9x1MbMMwqG2whjg5SithktIhbeArHmNH/GsEp:M83x1MIpZ2wWSgb5rHmNf5
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:4d306d4d4d574025

                                          Static PE Info

                                          General

                                          Entrypoint:0x51bc0a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61F0A2FE [Wed Jan 26 01:25:18 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          mov byte ptr [eax-2C754571h], ch
                                          mov ecx, CFB1EDF5h
                                          jmp far 82EBh : FBB5E4AAh
                                          stc
                                          nop
                                          retf B5C9h
                                          out DCh, eax
                                          mov seg?, word ptr [edi-1F081154h]
                                          retf EA8Eh
                                          retf CE80h
                                          lds ebp, fword ptr [ebp-7B2F3B49h]
                                          xchg eax, ebx
                                          aad F0h
                                          jmp 00007FDF6CD032FAh
                                          mov ah, 9Dh
                                          int3
                                          scasd
                                          movsd
                                          xchg eax, ebp
                                          mov edx, 9DD28799h
                                          jecxz 00007FDF6CD032C3h
                                          mov edx, 0000CA90h
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x11bbb80x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x11c0000x6a0d0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1880000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x119c500x119e00False0.788106291574data7.72216008471IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x11c0000x6a0d00x6a200False0.0926779667256data2.61241368122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x1880000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x11c2e00x468GLS_BINARY_LSB_FIRST
                                          RT_ICON0x11c7480x988data
                                          RT_ICON0x11d0d00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294440951, next used block 4294440951
                                          RT_ICON0x11e1780x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294440951, next used block 4294440951
                                          RT_ICON0x1207200x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294440951, next used block 4294440951
                                          RT_ICON0x1249480x5488data
                                          RT_ICON0x129dd00x94a8data
                                          RT_ICON0x1332780x10828data
                                          RT_ICON0x143aa00x42028data
                                          RT_GROUP_ICON0x185ac80x84data
                                          RT_GROUP_ICON0x185b4c0x14data
                                          RT_VERSION0x185b600x384data
                                          RT_MANIFEST0x185ee40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2012
                                          Assembly Version1.5.0.0
                                          InternalNameCompareOptio.exe
                                          FileVersion22.0.3.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameiiInfinityEngine Application
                                          ProductVersion22.0.3.0
                                          FileDescriptioniiInfinityEngine Application
                                          OriginalFilenameCompareOptio.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          01/26/22-09:42:25.202538UDP254DNS SPOOF query response with TTL of 1 min. and no authority53607848.8.8.8192.168.2.3
                                          01/26/22-09:42:31.066171UDP254DNS SPOOF query response with TTL of 1 min. and no authority53511438.8.8.8192.168.2.3
                                          01/26/22-09:42:49.473655UDP254DNS SPOOF query response with TTL of 1 min. and no authority53608238.8.8.8192.168.2.3
                                          01/26/22-09:42:55.066247UDP254DNS SPOOF query response with TTL of 1 min. and no authority53536158.8.8.8192.168.2.3
                                          01/26/22-09:43:00.728056UDP254DNS SPOOF query response with TTL of 1 min. and no authority53507288.8.8.8192.168.2.3
                                          01/26/22-09:43:18.172469UDP254DNS SPOOF query response with TTL of 1 min. and no authority53567738.8.8.8192.168.2.3
                                          01/26/22-09:43:34.057225UDP254DNS SPOOF query response with TTL of 1 min. and no authority53643678.8.8.8192.168.2.3

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 26, 2022 09:42:25.413542986 CET4975028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:25.437572002 CET2828949750185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:25.995548964 CET4975028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:26.019963026 CET2828949750185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:26.683099031 CET4975028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:26.707214117 CET2828949750185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:31.070813894 CET4975328289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:31.095087051 CET2828949753185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:31.636681080 CET4975328289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:31.661022902 CET2828949753185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:32.324274063 CET4975328289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:32.348824024 CET2828949753185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:37.165430069 CET4975428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:37.189677954 CET2828949754185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:37.699693918 CET4975428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:37.724140882 CET2828949754185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:38.233750105 CET4975428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:38.264256001 CET2828949754185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:44.025048971 CET4976028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:44.050307035 CET2828949760185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:44.684680939 CET4976028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:44.709080935 CET2828949760185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:45.294202089 CET4976028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:45.318766117 CET2828949760185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:49.475091934 CET4976128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:49.499051094 CET2828949761185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:50.200834036 CET4976128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:50.224621058 CET2828949761185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:50.794548988 CET4976128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:50.818496943 CET2828949761185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:55.067900896 CET4978428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:55.093947887 CET2828949784185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:55.748058081 CET4978428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:55.773073912 CET2828949784185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:56.435626984 CET4978428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:56.459872007 CET2828949784185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:00.730895996 CET4979528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:00.760390997 CET2828949795185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:01.436028957 CET4979528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:01.459940910 CET2828949795185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:02.045429945 CET4979528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:02.070069075 CET2828949795185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:03.448259115 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.510001898 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.512106895 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.766495943 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.766866922 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.828352928 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.828377008 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.829010963 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.858525038 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.891742945 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.892321110 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.920800924 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.920892954 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:06.444497108 CET4979928289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:06.470789909 CET2828949799185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:07.045845985 CET4979928289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:07.070511103 CET2828949799185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:07.749552965 CET4979928289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:07.773572922 CET2828949799185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:11.848099947 CET4980028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:11.872548103 CET2828949800185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:12.374260902 CET4980028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:12.399605036 CET2828949800185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:12.905803919 CET4980028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:12.930325031 CET2828949800185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:18.255517006 CET4980128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:18.279756069 CET2828949801185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:18.859469891 CET4980128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:18.883594990 CET2828949801185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:19.546945095 CET4980128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:19.571166992 CET2828949801185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:23.764676094 CET4981228289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:23.788708925 CET2828949812185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:24.297321081 CET4981228289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:24.321443081 CET2828949812185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:24.828886032 CET4981228289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:24.853584051 CET2828949812185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:28.929555893 CET4982528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:28.954113960 CET2828949825185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:29.470803022 CET4982528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:29.495146990 CET2828949825185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:30.006247997 CET4982528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:30.031552076 CET2828949825185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:34.060241938 CET4982628289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:34.097584009 CET2828949826185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:34.611599922 CET4982628289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:34.639548063 CET2828949826185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:35.142877102 CET4982628289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:35.167876959 CET2828949826185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:39.323319912 CET4982728289192.168.2.3185.140.53.138

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 26, 2022 09:42:25.182646990 CET6078453192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:25.202538013 CET53607848.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:31.044960976 CET5114353192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:31.066170931 CET53511438.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:37.120547056 CET5902653192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:37.140003920 CET53590268.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:44.004282951 CET4957253192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:44.023794889 CET53495728.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:49.449872017 CET6082353192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:49.473654985 CET53608238.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:55.044657946 CET5361553192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:55.066246986 CET53536158.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:00.704776049 CET5072853192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:00.728055954 CET53507288.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:03.380341053 CET5377753192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:03.403417110 CET53537778.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:06.362476110 CET5710653192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:06.382766008 CET53571068.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:11.825968981 CET6035253192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:11.846683979 CET53603528.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:18.151487112 CET5677353192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:18.172468901 CET53567738.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:23.688218117 CET6098253192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:23.708151102 CET53609828.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:28.907742977 CET5805853192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:28.928096056 CET53580588.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:34.035686016 CET6436753192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:34.057224989 CET53643678.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:39.300755024 CET5153953192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:39.320759058 CET53515398.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jan 26, 2022 09:42:25.182646990 CET192.168.2.38.8.8.80x1944Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:31.044960976 CET192.168.2.38.8.8.80x99adStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:37.120547056 CET192.168.2.38.8.8.80x4c6fStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:44.004282951 CET192.168.2.38.8.8.80x29e8Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:49.449872017 CET192.168.2.38.8.8.80x8e4bStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:55.044657946 CET192.168.2.38.8.8.80xf198Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:00.704776049 CET192.168.2.38.8.8.80xd685Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:03.380341053 CET192.168.2.38.8.8.80x7ff7Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:06.362476110 CET192.168.2.38.8.8.80x5eecStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:11.825968981 CET192.168.2.38.8.8.80xf564Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:18.151487112 CET192.168.2.38.8.8.80xf7f1Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:23.688218117 CET192.168.2.38.8.8.80x8d5aStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:28.907742977 CET192.168.2.38.8.8.80x51e8Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:34.035686016 CET192.168.2.38.8.8.80x791dStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:39.300755024 CET192.168.2.38.8.8.80x8650Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jan 26, 2022 09:42:25.202538013 CET8.8.8.8192.168.2.30x1944No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:31.066170931 CET8.8.8.8192.168.2.30x99adNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:37.140003920 CET8.8.8.8192.168.2.30x4c6fNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:44.023794889 CET8.8.8.8192.168.2.30x29e8No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:49.473654985 CET8.8.8.8192.168.2.30x8e4bNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:55.066246986 CET8.8.8.8192.168.2.30xf198No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:00.728055954 CET8.8.8.8192.168.2.30xd685No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:03.403417110 CET8.8.8.8192.168.2.30x7ff7No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                          Jan 26, 2022 09:43:03.403417110 CET8.8.8.8192.168.2.30x7ff7No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:06.382766008 CET8.8.8.8192.168.2.30x5eecNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:11.846683979 CET8.8.8.8192.168.2.30xf564No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:18.172468901 CET8.8.8.8192.168.2.30xf7f1No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:23.708151102 CET8.8.8.8192.168.2.30x8d5aNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:28.928096056 CET8.8.8.8192.168.2.30x51e8No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:34.057224989 CET8.8.8.8192.168.2.30x791dNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:39.320759058 CET8.8.8.8192.168.2.30x8650No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Jan 26, 2022 09:43:03.766495943 CET5874979877.88.21.158192.168.2.3220 myt5-aad1beefab42.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1643186583-1Uow8YIc1E-h3HeBpvb
                                          Jan 26, 2022 09:43:03.766866922 CET49798587192.168.2.377.88.21.158EHLO 468325
                                          Jan 26, 2022 09:43:03.828377008 CET5874979877.88.21.158192.168.2.3250-myt5-aad1beefab42.qloud-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Jan 26, 2022 09:43:03.829010963 CET49798587192.168.2.377.88.21.158STARTTLS
                                          Jan 26, 2022 09:43:03.891742945 CET5874979877.88.21.158192.168.2.3220 Go ahead

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:2
                                          Start time:09:41:22
                                          Start date:26/01/2022
                                          Path:C:\Users\user\Desktop\Order Specification.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Order Specification.exe"
                                          Imagebase:0x330000
                                          File size:1590272 bytes
                                          MD5 hash:0484C885885E6B4635CF330D72EABA9A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Target ID:8
                                          Start time:09:42:03
                                          Start date:26/01/2022
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
                                          Imagebase:0x1230000
                                          File size:430592 bytes
                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          General

                                          Target ID:9
                                          Start time:09:42:04
                                          Start date:26/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:10
                                          Start time:09:42:05
                                          Start date:26/01/2022
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
                                          Imagebase:0x1230000
                                          File size:430592 bytes
                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          General

                                          Target ID:11
                                          Start time:09:42:06
                                          Start date:26/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:12
                                          Start time:09:42:06
                                          Start date:26/01/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp
                                          Imagebase:0xaf0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:13
                                          Start time:09:42:08
                                          Start date:26/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:14
                                          Start time:09:42:09
                                          Start date:26/01/2022
                                          Path:C:\Users\user\Desktop\Order Specification.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\Order Specification.exe
                                          Imagebase:0xfb0000
                                          File size:1590272 bytes
                                          MD5 hash:0484C885885E6B4635CF330D72EABA9A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Visual Basic
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Target ID:16
                                          Start time:09:42:15
                                          Start date:26/01/2022
                                          Path:C:\Users\user\AppData\Local\Temp\host process.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\host process.exe" 0
                                          Imagebase:0x90000
                                          File size:207360 bytes
                                          MD5 hash:042FA6CD64D8F55F1405D130E306E47A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 79%, Virustotal, Browse
                                          • Detection: 100%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:17
                                          Start time:09:42:18
                                          Start date:26/01/2022
                                          Path:C:\Users\user\AppData\Local\Temp\O.stub.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
                                          Imagebase:0xfd0000
                                          File size:283136 bytes
                                          MD5 hash:69709CD1D2019B22E72550ABE3AEF9D7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.557825125.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.409221651.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.407162956.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.408484017.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.408885887.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\O.stub.exe, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 61%, Virustotal, Browse
                                          • Detection: 56%, Metadefender, Browse
                                          • Detection: 86%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:23
                                          Start time:09:42:35
                                          Start date:26/01/2022
                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                          Imagebase:0x100000
                                          File size:207360 bytes
                                          MD5 hash:042FA6CD64D8F55F1405D130E306E47A
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 79%, Virustotal, Browse
                                          • Detection: 100%, ReversingLabs
                                          Reputation:low

                                          Disassembly

                                          No disassembly