Loading ...

Play interactive tourEdit tour

Windows Analysis Report 4jE4gfofqX.exe

Overview

General Information

Sample Name:4jE4gfofqX.exe
Analysis ID:553323
MD5:39924fd67ad38b45a9f0871798074ec4
SHA1:9d8af43fbfe30f21c5f0e147ddc211efb67e71c6
SHA256:998746d0f5d0c13df720f0bf3981d652c828ea64d64d2e16736a80123fb534aa
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 4jE4gfofqX.exe (PID: 3080 cmdline: "C:\Users\user\Desktop\4jE4gfofqX.exe" MD5: 39924FD67AD38B45A9F0871798074EC4)
    • powershell.exe (PID: 6240 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGsmBdIfAIk.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7160 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGsmBdIfAIk" /XML "C:\Users\user\AppData\Local\Temp\tmpC7DE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5236 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 5684 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp20C3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6132 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp298E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 6104 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 1324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6260 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5668 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "5ddb4cba-37cb-41bf-8dbf-b2a0e345", "Domain1": "nsayers4rm382.bounceme.net", "Domain2": "127.0.0.1", "Port": 2050, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.688995010.00000000030B1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000007.00000003.701710687.0000000004865000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1ad2:$a: NanoCore
    • 0x1af7:$a: NanoCore
    • 0x1b50:$a: NanoCore
    • 0x11ced:$a: NanoCore
    • 0x11d13:$a: NanoCore
    • 0x11d6f:$a: NanoCore
    • 0x1ebc4:$a: NanoCore
    • 0x1ec1d:$a: NanoCore
    • 0x1ec50:$a: NanoCore
    • 0x1ee7c:$a: NanoCore
    • 0x1eef8:$a: NanoCore
    • 0x1f511:$a: NanoCore
    • 0x1f65a:$a: NanoCore
    • 0x1fb2e:$a: NanoCore
    • 0x1fe15:$a: NanoCore
    • 0x1fe2c:$a: NanoCore
    • 0x253ca:$a: NanoCore
    • 0x25444:$a: NanoCore
    • 0x29fe1:$a: NanoCore
    • 0x2b39b:$a: NanoCore
    • 0x2b3e5:$a: NanoCore
    00000007.00000000.679409854.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000007.00000000.679409854.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000007.00000000.679409854.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.3.RegSvcs.exe.48881c5.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x605:$x1: NanoCore.ClientPluginHost
      • 0x3bd6:$x1: NanoCore.ClientPluginHost
      • 0x63e:$x2: IClientNetworkHost
      7.3.RegSvcs.exe.48881c5.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x605:$x2: NanoCore.ClientPluginHost
      • 0x3bd6:$x2: NanoCore.ClientPluginHost
      • 0x720:$s4: PipeCreated
      • 0x3cb4:$s4: PipeCreated
      • 0x61f:$s5: IClientLoggingHost
      • 0x3bf0:$s5: IClientLoggingHost
      0.2.4jE4gfofqX.exe.42e7670.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.4jE4gfofqX.exe.42e7670.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.4jE4gfofqX.exe.42e7670.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 36 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5236, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5236, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\4jE4gfofqX.exe" , ParentImage: C:\Users\user\Desktop\4jE4gfofqX.exe, ParentProcessId: 3080, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5236
        Sigma detected: Suspicius Add Task From User AppData TempShow sources
        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGsmBdIfAIk" /XML "C:\Users\user\AppData\Local\Temp\tmpC7DE.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGsmBdIfAIk" /XML "C:\Users\user\AppData\Local\Temp\tmpC7DE.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\4jE4gfofqX.exe" , ParentImage: C:\Users\user\Desktop\4jE4gfofqX.exe, ParentProcessId: 3080, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGsmBdIfAIk" /XML "C:\Users\user\AppData\Local\Temp\tmpC7DE.tmp, ProcessId: 7160
        Sigma detected: Powershell Defender ExclusionShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGsmBdIfAIk.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGsmBdIfAIk.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4jE4gfofqX.exe" , ParentImage: C:\Users\user\Desktop\4jE4gfofqX.exe, ParentProcessId: 3080, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGsmBdIfAIk.exe, ProcessId: 6240
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\4jE4gfofqX.exe" , ParentImage: C:\Users\user\Desktop\4jE4gfofqX.exe, ParentProcessId: 3080, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5236
        Sigma detected: Non Interactive PowerShellShow sources
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGsmBdIfAIk.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGsmBdIfAIk.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4jE4gfofqX.exe" , ParentImage: C:\Users\user\Desktop\4jE4gfofqX.exe, ParentProcessId: 3080, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGsmBdIfAIk.exe, ProcessId: 6240
        Sigma detected: T1086 PowerShell ExecutionShow sources
        Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866498556196356.6240.DefaultAppDomain.powershell

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5236, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5236, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0.2.4jE4gfofqX.exe.42b4a50.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "5ddb4cba-37cb-41bf-8dbf-b2a0e345", "Domain1": "nsayers4rm382.bounceme.net", "Domain2": "127.0.0.1", "Port": 2050, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Antivirus detection for URL or domainShow sources
        Source: nsayers4rm382.bounceme.netAvira URL Cloud: Label: malware
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0.2.4jE4gfofqX.exe.42e7670.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4jE4gfofqX.exe.42b4a50.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4jE4gfofqX.exe.42e7670.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.4jE4gfofqX.exe.42b4a50.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000007.00000000.679409854.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.681763573.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.679721715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.689772422.0000000004194000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.681331500.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 4jE4gfofqX.exe PID: 3080, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5236, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: 4jE4gfofqX.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\CGsmBdIfAIk.exeJoe Sandbox ML: detected
        Source: 7.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4jE4gfofqX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\4jE4gfofqX.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: 4jE4gfofqX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000013.00000000.710357979.0000000000F32000.00000002.00020000.sdmp, dhcpmon.exe.7.dr
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000007.00000003.701710687.0000000004865000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000007.00000003.701710687.0000000004865000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000007.00000003.701710687.0000000004865000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000007.00000003.701710687.0000000004865000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000007.00000003.701710687.0000000004865000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: nsayers4rm382.bounceme.net
        Source: Malware configuration extractorURLs: 127.0.0.1
        Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
        Source: global trafficTCP traffic: 192.168.2.4:49776 -> 212.193.30.28:2050
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: RegSvcs.exe, 00000007.00000003.701710687.0000000004865000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653532200.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653511866.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653562017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com6
        Source: 4jE4gfofqX.exe, 00000000.00000003.653431280.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653488651.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653458673.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653532200.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653511866.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653562017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com8
        Source: 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653742457.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653687112.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653562017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com9
        Source: 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCt
        Source: 4jE4gfofqX.exe, 00000000.00000003.653905958.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653742457.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653687112.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653806293.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653842716.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653871879.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653532200.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653562017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams
        Source: 4jE4gfofqX.exe, 00000000.00000003.653871879.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcoF
        Source: 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653742457.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653687112.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653806293.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653842716.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcoJ
        Source: 4jE4gfofqX.exe, 00000000.00000003.653905958.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcooo
        Source: 4jE4gfofqX.exe, 00000000.00000003.653431280.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653488651.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653458673.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653532200.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653511866.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653562017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
        Source: 4jE4gfofqX.exe, 00000000.00000003.653431280.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653488651.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653458673.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653532200.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653511866.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653562017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexce
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653488651.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653532200.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653511866.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653562017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnew
        Source: 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comng-
        Source: 4jE4gfofqX.exe, 00000000.00000003.653660383.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653488651.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653630017.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653458673.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653587172.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653532200.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653511866.00000000053AE000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653562017.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comona
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.658563423.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: 4jE4gfofqX.exe, 00000000.00000003.656909945.00000000053A5000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.657784719.00000000053A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: 4jE4gfofqX.exe, 00000000.00000003.658311603.00000000053A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers%
        Source: 4jE4gfofqX.exe, 00000000.00000003.656622789.00000000053A8000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.656703264.00000000053A8000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.656736514.00000000053A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers.
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: 4jE4gfofqX.exe, 00000000.00000003.656523842.00000000053A8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/S
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.657214468.00000000053A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: 4jE4gfofqX.exe, 00000000.00000003.657236775.00000000053A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers3
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: 4jE4gfofqX.exe, 00000000.00000003.661693250.00000000053A5000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.657756165.00000000053A5000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.656875320.00000000053A5000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.656909945.00000000053A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersD
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: 4jE4gfofqX.exe, 00000000.00000003.657784719.00000000053A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersI
        Source: 4jE4gfofqX.exe, 00000000.00000003.658414564.00000000053A5000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.658381629.00000000053A5000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.658451444.00000000053A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
        Source: 4jE4gfofqX.exe, 00000000.00000003.683972284.0000000005370000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000002.691407826.0000000005370000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com4
        Source: 4jE4gfofqX.exe, 00000000.00000003.683972284.0000000005370000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000002.691407826.0000000005370000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
        Source: 4jE4gfofqX.exe, 00000000.00000003.658563423.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com?
        Source: 4jE4gfofqX.exe, 00000000.00000003.658563423.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
        Source: 4jE4gfofqX.exe, 00000000.00000003.658563423.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
        Source: 4jE4gfofqX.exe, 00000000.00000003.658563423.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgI
        Source: 4jE4gfofqX.exe, 00000000.00000003.683972284.0000000005370000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000002.691407826.0000000005370000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: 4jE4gfofqX.exe, 00000000.00000003.658563423.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivau
        Source: 4jE4gfofqX.exe, 00000000.00000003.658563423.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
        Source: 4jE4gfofqX.exe, 00000000.00000003.658563423.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comv
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.651644316.000000000538B000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.651663774.000000000538B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: 4jE4gfofqX.exe, 00000000.00000003.651663774.000000000538B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
        Source: 4jE4gfofqX.exe, 00000000.00000003.651695593.000000000538B000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.651727009.000000000538B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc;MLD
        Source: 4jE4gfofqX.exe, 00000000.00000003.652974130.0000000005374000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: 4jE4gfofqX.exe, 00000000.00000003.652974130.0000000005374000.00000004.00000001.sdmp, 4jE4gfofqX.exe, 00000000.00000003.653172088.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn#
        Source: 4jE4gfofqX.exe, 00000000.00000003.653172088.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: 4jE4gfofqX.exe, 00000000.00000003.652958948.00000000053AD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn6
        Source: 4jE4gfofqX.exe, 00000000.00000003.653172088.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
        Source: 4jE4gfofqX.exe, 00000000.00000003.652958948.00000000053AD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni-f
        Source: 4jE4gfofqX.exe, 00000000.00000003.659690845.000000000537D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: 4jE4gfofqX.exe, 00000000.00000003.660243751.0000000005374000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/$
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: 4jE4gfofqX.exe, 00000000.00000002.691900037.0000000006642000.00000004.00000001.s