Windows Analysis Report 1FB6ncJ5XP.exe

Overview

General Information

Sample Name: 1FB6ncJ5XP.exe
Analysis ID: 500301
MD5: e90d3150b729f9e9f8271ed964da0d14
SHA1: 08f865e0f25ca9f7e19f04e8d437214f924c3bb8
SHA256: b96ae4aab134c7612bd21311ee76a7b0b0dc14af7b2e10713564e50fc739967e
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "a34ced25-fb8b-4570-a6e3-066f7f9b", "Group": "AAA", "Domain1": "ella666.duckdns.org", "Domain2": "mikeljack321.ddns.net", "Port": 31829, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "ella666.duckdns.org"}
Multi AV Scanner detection for submitted file
Source: 1FB6ncJ5XP.exe Virustotal: Detection: 36% Perma Link
Source: 1FB6ncJ5XP.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exe ReversingLabs: Detection: 42%
Yara detected Nanocore RAT
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack Avira: Label: TR/NanoCore.fadte

Compliance:

barindex
Uses 32bit PE files
Source: 1FB6ncJ5XP.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 1FB6ncJ5XP.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.140.53.6 ports 31829,1,2,3,8,9
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ella666.duckdns.org
Source: Malware configuration extractor URLs: mikeljack321.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: ella666.duckdns.org
Source: unknown DNS query: name: mikeljack321.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.140.53.6 185.140.53.6
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49754 -> 185.140.53.6:31829
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 1FB6ncJ5XP.exe String found in binary or memory: http://github.com/besentv
Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp, 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: ella666.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: 1FB6ncJ5XP.exe, 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.1FB6ncJ5XP.exe.5640000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large strings
Source: 1FB6ncJ5XP.exe, MainUI.cs Long String: Length: 23851
Source: 1FB6ncJ5XP.exe, MainUI.cs Long String: Length: 23852
Source: QLpzxrlNoQJN.exe.0.dr, MainUI.cs Long String: Length: 23851
Source: QLpzxrlNoQJN.exe.0.dr, MainUI.cs Long String: Length: 23852
Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs Long String: Length: 23851
Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs Long String: Length: 23852
Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs Long String: Length: 23851
Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs Long String: Length: 23852
Source: 7.2.1FB6ncJ5XP.exe.a40000.1.unpack, MainUI.cs Long String: Length: 23851
Source: 7.2.1FB6ncJ5XP.exe.a40000.1.unpack, MainUI.cs Long String: Length: 23852
Source: 7.0.1FB6ncJ5XP.exe.a40000.0.unpack, MainUI.cs Long String: Length: 23851
Source: 7.0.1FB6ncJ5XP.exe.a40000.0.unpack, MainUI.cs Long String: Length: 23852
Uses 32bit PE files
Source: 1FB6ncJ5XP.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.2.1FB6ncJ5XP.exe.5640000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.5640000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 0_2_009C3266 0_2_009C3266
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 0_2_0116E6D0 0_2_0116E6D0
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 0_2_0116C0B4 0_2_0116C0B4
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 0_2_0116E6CA 0_2_0116E6CA
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 0_2_009C3292 0_2_009C3292
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 7_2_00A43266 7_2_00A43266
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 7_2_0528E471 7_2_0528E471
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 7_2_0528E480 7_2_0528E480
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 7_2_0528BBD4 7_2_0528BBD4
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 7_2_00A43292 7_2_00A43292
Sample file is different than original file name gathered from version info
Source: 1FB6ncJ5XP.exe Binary or memory string: OriginalFilename vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe, 00000000.00000002.337326122.00000000009C2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameReadOnlyDictionaryValueCollecti.exeZ vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe, 00000000.00000002.344947775.0000000007BD0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll< vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe Binary or memory string: OriginalFilename vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe, 00000007.00000000.334824506.0000000000A42000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameReadOnlyDictionaryValueCollecti.exeZ vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe, 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe, 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe Binary or memory string: OriginalFilenameReadOnlyDictionaryValueCollecti.exeZ vs 1FB6ncJ5XP.exe
Source: 1FB6ncJ5XP.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QLpzxrlNoQJN.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 1FB6ncJ5XP.exe Virustotal: Detection: 36%
Source: 1FB6ncJ5XP.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe File read: C:\Users\user\Desktop\1FB6ncJ5XP.exe Jump to behavior
Source: 1FB6ncJ5XP.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1FB6ncJ5XP.exe 'C:\Users\user\Desktop\1FB6ncJ5XP.exe'
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process created: C:\Users\user\Desktop\1FB6ncJ5XP.exe C:\Users\user\Desktop\1FB6ncJ5XP.exe
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp' Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process created: C:\Users\user\Desktop\1FB6ncJ5XP.exe C:\Users\user\Desktop\1FB6ncJ5XP.exe Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe File created: C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exe Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe File created: C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/5@21/2
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 1FB6ncJ5XP.exe, MainUI.cs Base64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
Source: QLpzxrlNoQJN.exe.0.dr, MainUI.cs Base64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs Base64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs Base64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
Source: 7.2.1FB6ncJ5XP.exe.a40000.1.unpack, MainUI.cs Base64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
Source: 7.0.1FB6ncJ5XP.exe.a40000.0.unpack, MainUI.cs Base64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Mutant created: \Sessions\1\BaseNamedObjects\jkYkqulLHC
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_01
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{a34ced25-fb8b-4570-a6e3-066f7f9be505}
Source: 1FB6ncJ5XP.exe String found in binary or memory: MF0IPGE+p6yD2rytzZQzqCQRFRPccnYiLlMieltDTR4ROx71vg8y017n2HimrBDpJbhwnzfxqqJ+Z04f/y35/AdDff6uI3P185QBKqBZXQxxQSfGWXLKk/PKO4PFlGi2GzLFS9GdLG1qjGl7W4YrgWdRqNXRKnoVnGixN84qPlGdQsoLOGmedqwqYR4TNNDgIyw6YDWNvhvJR4veWHOXpJ6hfzVdXyf7SFhWRnkRvd2AM+U5AduEJfMOTCYVQJrUQ74q
Source: 1FB6ncJ5XP.exe String found in binary or memory: MF0IPGE+p6yD2rytzZQzqCQRFRPccnYiLlMieltDTR4ROx71vg8y017n2HimrBDpJbhwnzfxqqJ+Z04f/y35/AdDff6uI3P185QBKqBZXQxxQSfGWXLKk/PKO4PFlGi2GzLFS9GdLG1qjGl7W4YrgWdRqNXRKnoVnGixN84qPlGdQsoLOGmedqwqYR4TNNDgIyw6YDWNvhvJR4veWHOXpJ6hfzVdXyf7SFhWRnkRvd2AM+U5AduEJfMOTCYVQJrUQ74q
Source: 1FB6ncJ5XP.exe, MainUI.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: QLpzxrlNoQJN.exe.0.dr, MainUI.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 1FB6ncJ5XP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1FB6ncJ5XP.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 1FB6ncJ5XP.exe, MainUI.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: QLpzxrlNoQJN.exe.0.dr, MainUI.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.1FB6ncJ5XP.exe.a40000.1.unpack, MainUI.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.1FB6ncJ5XP.exe.a40000.0.unpack, MainUI.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 0_2_009C5934 push es; retf 0_2_009C5C88
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Code function: 7_2_00A457F3 push es; retf 7_2_00A45C88
Source: initial sample Static PE information: section name: .text entropy: 7.39359374162
Source: initial sample Static PE information: section name: .text entropy: 7.39359374162
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe File created: C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe File opened: C:\Users\user\Desktop\1FB6ncJ5XP.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.339659740.0000000002E7E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe TID: 4244 Thread sleep time: -37107s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe TID: 4540 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe TID: 6132 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Window / User API: threadDelayed 3567 Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Window / User API: threadDelayed 5797 Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Window / User API: foregroundWindowGot 863 Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Thread delayed: delay time: 37107 Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 1FB6ncJ5XP.exe, 00000007.00000003.538555339.00000000010AE000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Memory written: C:\Users\user\Desktop\1FB6ncJ5XP.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp' Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Process created: C:\Users\user\Desktop\1FB6ncJ5XP.exe C:\Users\user\Desktop\1FB6ncJ5XP.exe Jump to behavior
Source: 1FB6ncJ5XP.exe, 00000007.00000002.571921722.00000000032EC000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: 1FB6ncJ5XP.exe, 00000007.00000002.568798463.00000000017D0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: 1FB6ncJ5XP.exe, 00000007.00000002.568798463.00000000017D0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: 1FB6ncJ5XP.exe, 00000007.00000002.573932946.00000000063DD000.00000004.00000001.sdmp Binary or memory string: Program Manager 4L
Source: 1FB6ncJ5XP.exe, 00000007.00000002.573653225.000000000618C000.00000004.00000001.sdmp Binary or memory string: Program Managerp:
Source: 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmp Binary or memory string: Program ManagerX
Source: 1FB6ncJ5XP.exe, 00000007.00000002.568798463.00000000017D0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Users\user\Desktop\1FB6ncJ5XP.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Users\user\Desktop\1FB6ncJ5XP.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: 1FB6ncJ5XP.exe, 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500301 Sample: 1FB6ncJ5XP.exe Startdate: 11/10/2021 Architecture: WINDOWS Score: 100 29 ella666.duckdns.org 2->29 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 11 other signatures 2->43 8 1FB6ncJ5XP.exe 7 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\...\QLpzxrlNoQJN.exe, PE32 8->21 dropped 23 C:\Users\user\AppData\Local\...\tmpCE1C.tmp, XML 8->23 dropped 25 C:\Users\user\AppData\...\1FB6ncJ5XP.exe.log, ASCII 8->25 dropped 45 Uses schtasks.exe or at.exe to add and modify task schedules 8->45 47 Injects a PE file into a foreign processes 8->47 12 1FB6ncJ5XP.exe 6 8->12         started        17 schtasks.exe 1 8->17         started        signatures6 process7 dnsIp8 31 ella666.duckdns.org 185.140.53.6, 31829, 49754, 49760 DAVID_CRAIGGG Sweden 12->31 33 mikeljack321.ddns.net 12->33 35 192.168.2.1 unknown unknown 12->35 27 C:\Users\user\AppData\Roaming\...\run.dat, data 12->27 dropped 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->49 19 conhost.exe 17->19         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.140.53.6
 mikeljack321.ddns.net Sweden
209623 DAVID_CRAIGGG true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
mikeljack321.ddns.net 185.140.53.6 true
ella666.duckdns.org 185.140.53.6 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
ella666.duckdns.org true
  • Avira URL Cloud: safe
 unknown
mikeljack321.ddns.net true
  • Avira URL Cloud: safe
 unknown