Loading ...

Play interactive tourEdit tour

Windows Analysis Report SKGCTMGCarta20210701516374466893343426doc.exe

Overview

General Information

Sample Name:SKGCTMGCarta20210701516374466893343426doc.exe
Analysis ID:451593
MD5:0eb0833449cec388f8157458fc600691
SHA1:63c969feee64e6fe65d289fbbdf6e2c971f8878b
SHA256:945ab6b146dc530e61824b8ccdd396c6c5d84c9537736db859771b1ee2dd93fe
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SKGCTMGCarta20210701516374466893343426doc.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe' MD5: 0EB0833449CEC388F8157458FC600691)
    • schtasks.exe (PID: 6772 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 6436 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "01f9d977-6605-495e-941a-753d3cd6", "Group": "4Maticross.", "Domain1": "178.170.138.163", "Domain2": "", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x39eb:$x1: NanoCore.ClientPluginHost
  • 0x3a24:$x2: IClientNetworkHost
00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x39eb:$x2: NanoCore.ClientPluginHost
  • 0x3b36:$s4: PipeCreated
  • 0x3a05:$s5: IClientLoggingHost
00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x4bbb:$x1: NanoCore.ClientPluginHost
  • 0x4be5:$x2: IClientNetworkHost
00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x4bbb:$x2: NanoCore.ClientPluginHost
  • 0x6a6b:$s4: PipeCreated
00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
Click to see the 37 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
9.2.MSBuild.exe.5270000.20.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
9.2.MSBuild.exe.5270000.20.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
9.2.MSBuild.exe.53b0000.25.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x605:$x1: NanoCore.ClientPluginHost
  • 0x63e:$x2: IClientNetworkHost
9.2.MSBuild.exe.53b0000.25.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x605:$x2: NanoCore.ClientPluginHost
  • 0x720:$s4: PipeCreated
  • 0x61f:$s5: IClientLoggingHost
9.2.MSBuild.exe.3c5b3e6.14.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x170b:$x1: NanoCore.ClientPluginHost
  • 0x1725:$x2: IClientNetworkHost
Click to see the 121 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

barindex
Sigma detected: Possible Applocker BypassShow sources
Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe' , ParentImage: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe, ParentProcessId: 6916, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "01f9d977-6605-495e-941a-753d3cd6", "Group": "4Maticross.", "Domain1": "178.170.138.163", "Domain2": "", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for domain / URLShow sources
Source: 178.170.138.163Virustotal: Detection: 5%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exeReversingLabs: Detection: 19%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: SKGCTMGCarta20210701516374466893343426doc.exeJoe Sandbox ML: detected
Source: 9.2.MSBuild.exe.53c0000.27.unpackAvira: Label: TR/NanoCore.fadte
Source: 9.2.MSBuild.exe.38f8a10.6.unpackAvira: Label: TR/NanoCore.fadte
Source: 9.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: SKGCTMGCarta20210701516374466893343426doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SKGCTMGCarta20210701516374466893343426doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configurationShow sources
Source: Malware configuration extractorURLs: 178.170.138.163
Source: Malware configuration extractorURLs:
Source: global trafficTCP traffic: 192.168.2.4:49744 -> 178.170.138.163:5626
Source: Joe Sandbox ViewIP Address: 178.170.138.163 178.170.138.163
Source: Joe Sandbox ViewASN Name: ETOP-ASPL ETOP-ASPL
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.152.11
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: SKGCTMGCarta20210701516374466893343426doc.exeString found in binary or memory: http://tempuri.org/SeguridadDS.xsd
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.653877681.0000000005C48000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnre
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//-e
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655772497.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655627410.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0o
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fed
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/iv
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/str
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wdthd
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651828375.0000000005C4B000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651216772.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443